Closed tieugene closed 2 years ago
Hi @tieugene! Thank you for this suggestion.
I was already aware of this behavior during my tests when I was implementing the mechanism to run certain functions without root privileges.
However, I try to make sure to offer developers only functions that are compatible with at least two operating systems including Linux (which is mainly used with this library).
So yes indeed, it works on Linux but you only get the last hop. It is therefore more of a ping, although much less efficient than the function dedicated to this purpose. This is why, even if under macOS it works, I did not retain this possibility.
Thank you anyway for your involvement!
So yes indeed, it works on Linux but you only get the last hop. It is therefore more of a ping, although much less efficient than the function dedicated to this purpose. This is why, even if under macOS it works, I did not retain this possibility.
Nevertheless traceroute/tracert utility works ok in any desktop OS without root privileges.
Nevertheless traceroute/tracert utility works ok in any desktop OS without root privileges.
It's not completely true. In fact, the ping
and traceroute
programs run as root on all systems. They are installed with root as the owner and the setuid
bit enabled, allowing non-root users to run them with root privileges. setcap
can also be used for this purpose.
It's not completely true. In fact, the
ping
andtraceroute
programs run as root on all systems. They are installed with root as the owner and thesetuid
bit enabled, allowing non-root users to run them with root privileges.
It used to be like that, but not now.
ls -l /usr/bin/traceroute /usr/bin/ping
-rwxr-xr-x. 1 root root 95232 2021-07-25 /usr/bin/ping
-rwxr-xr-x. 1 root root 79056 2021-07-24 /usr/bin/traceroute
OS: Fedora more info
It used to be like that, but not now.
Yes, that's why I added "setcap can also be used for this purpose." (file capabilities).
For the net.ipv4.ping_group_range
parameter, icmplib already uses it for its ping function (when datagram sockets are used in non-privileged mode) : read more. The traceroute
function requires raw sockets to receive ICMP Time Exceeded messages from gateways. Raw sockets require root privileges to run and the net.ipv4.ping_group_range
parameter has no effect on this.
By the way, your article on Fedora only mentions the ping
and not the traceroute
binary.
By the way, your article on Fedora only mentions the
ping
and not thetraceroute
binary.
Yes you are right, but I meant neither ping nor traceroute need suid or cap. Fedora uses this implementation of tracerout. Citation from the web page: _Note, that this implementation is intended for Linux only. It utilizes some currently Linux-specific features (including MSGERRQUEUE for recvmsg(2)), which allow such things like the use by unprivileged users (without setuid bit) for some type of tracerouting. The Linux kernel 2.6 or higher required.
Hi @sunwire,
Thanks for these informations. It's very interesting. I'll try to see the implementation used and maybe use it for icmplib. If you have time, don't hesitate to make a PR. I will be happy to validate it!
Works for macOS 10.15 (with patch):
PS. works for linux too but returns list with last hop only