Non-root traceroute

[tieugene]

Works for macOS 10.15 (with patch):

>>> print(icmplib.traceroute("www.google.com", privileged=False))
[<Hop 1 [...]>, <Hop 2 [...]>, <Hop 3 [...]>, <Hop 4 [188.234.131.158]>, <Hop 5 [188.234.131.159]>, <Hop 6 [172.253.76.91]>, <Hop 7 [74.125.244.181]>, <Hop 8 [72.14.232.84]>, <Hop 9 [142.251.61.219]>, <Hop 10 [142.250.56.129]>, <Hop 20 [64.233.162.147]>]
>>> 

PS. works for linux too but returns list with last hop only

[ValentinBELYN]

Hi @tieugene! Thank you for this suggestion.

I was already aware of this behavior during my tests when I was implementing the mechanism to run certain functions without root privileges.

However, I try to make sure to offer developers only functions that are compatible with at least two operating systems including Linux (which is mainly used with this library).

So yes indeed, it works on Linux but you only get the last hop. It is therefore more of a ping, although much less efficient than the function dedicated to this purpose. This is why, even if under macOS it works, I did not retain this possibility.

Thank you anyway for your involvement!

[tieugene]

So yes indeed, it works on Linux but you only get the last hop. It is therefore more of a ping, although much less efficient than the function dedicated to this purpose. This is why, even if under macOS it works, I did not retain this possibility.

Nevertheless traceroute/tracert utility works ok in any desktop OS without root privileges.

[ValentinBELYN]

Nevertheless traceroute/tracert utility works ok in any desktop OS without root privileges.

It's not completely true. In fact, the ping and traceroute programs run as root on all systems. They are installed with root as the owner and the setuid bit enabled, allowing non-root users to run them with root privileges. setcap can also be used for this purpose.

[sunwire]

It's not completely true. In fact, the ping and traceroute programs run as root on all systems. They are installed with root as the owner and the setuid bit enabled, allowing non-root users to run them with root privileges.

It used to be like that, but not now.

ls -l /usr/bin/traceroute /usr/bin/ping
-rwxr-xr-x. 1 root root 95232 2021-07-25  /usr/bin/ping
-rwxr-xr-x. 1 root root 79056 2021-07-24  /usr/bin/traceroute

OS: Fedora more info

[ValentinBELYN]

It used to be like that, but not now.

Yes, that's why I added "setcap can also be used for this purpose." (file capabilities).

For the net.ipv4.ping_group_range parameter, icmplib already uses it for its ping function (when datagram sockets are used in non-privileged mode) : read more. The traceroute function requires raw sockets to receive ICMP Time Exceeded messages from gateways. Raw sockets require root privileges to run and the net.ipv4.ping_group_range parameter has no effect on this.

By the way, your article on Fedora only mentions the ping and not the traceroute binary.

[sunwire]

By the way, your article on Fedora only mentions the ping and not the traceroute binary.

Yes you are right, but I meant neither ping nor traceroute need suid or cap. Fedora uses this implementation of tracerout. Citation from the web page: _Note, that this implementation is intended for Linux only. It utilizes some currently Linux-specific features (including MSGERRQUEUE for recvmsg(2)), which allow such things like the use by unprivileged users (without setuid bit) for some type of tracerouting. The Linux kernel 2.6 or higher required.

[ValentinBELYN]

Hi @sunwire,

Thanks for these informations. It's very interesting. I'll try to see the implementation used and maybe use it for icmplib. If you have time, don't hesitate to make a PR. I will be happy to validate it!