search

ValentinBELYN / icmplib

Easily forge ICMP packets and make your own ping and traceroute.
GNU Lesser General Public License v3.0
266 stars 46 forks source link

Using icmplib without root permission #46

Closed jabaa closed 2 years ago

jabaa commented 2 years ago

Is it possible to use this library without root permission?

I'm using Kali Linux kali 5.16.0-kali1-amd64 #1 SMP PREEMPT Debian 5.16.7-2kali1 (2022-02-10) x86_64 GNU/Linux with Python 3.9 and icmplib-3.0.3. I can run ping in my terminal. I've checked 

$ ls -l $(which ping)
-rwxr-xr-x 1 root root 81600 Feb  5 05:37 /usr/bin/ping

As you can see, SUID and SGID isn't set. I've checked

$ sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 1   0

Obviously, ping can be run without root permission.

I've tried 

from icmplib import ping
ping('192.168.178.1', privileged=False)

and got

Traceback (most recent call last):
  File "/workdir/lib/python3.9/site-packages/icmplib/sockets.py", line 88, in __init__
    self._sock = self._create_socket(
  File "/workdir/lib/python3.9/site-packages/icmplib/sockets.py", line 486, in _create_socket
    return socket.socket(
  File "/usr/lib/python3.9/socket.py", line 232, in __init__
    _socket.socket.__init__(self, family, type, proto, fileno)
PermissionError: [Errno 13] Permission denied

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/workdir/main.py", line 5, in <module>
    ping('192.168.178.1', privileged=False)
  File "/workdir/lib/python3.9/site-packages/icmplib/ping.py", line 141, in ping
    with _Socket(source, privileged) as sock:
  File "/workdir/lib/python3.9/site-packages/icmplib/sockets.py", line 97, in __init__
    raise SocketPermissionError(privileged)
icmplib.exceptions.SocketPermissionError: A prior configuration of your OS is required to use ICMP sockets without root privileges. Read more on https://github.com/ValentinBELYN/icmplib

I don't have permissions to change 

sudo sysctl -w net.ipv4.ping_group_range='0 2147483647'

Is there a way to use this library? Is this problem related to the way this library works or is it a general Python problem?

sunwire commented 2 years ago

Obviously, ping can be run without root permission.

I think beacause Kali Linux is Debian based ping uses file capabilities getcap /usr/bin/ping

jabaa commented 2 years ago

@sunwire Thank you. It seems, you're right. /usr/bin/ping has network capabilities:

$ getcap $(which ping)
/usr/bin/ping cap_net_raw=ep

I checked other libraries and the only way I've found, was to spawn a ping process. It looks like there is no way to use a Python library for this without sudo (at least once to configure the system) or ping.

ValentinBELYN commented 2 years ago

Hi!

Thanks @sunwire for answering @jabaa 👍

@jabaa Your problem is not related to the library directly. You must set the net.ipv4.ping_group_range parameter of your system to allow the use of datagram sockets (instead of raw sockets) for sending ICMP messages and therefore, to use the library without root privileges.

Related documentation: https://github.com/ValentinBELYN/icmplib/blob/main/docs/6-use-icmplib-without-privileges.md

Otherwise, what do you mean by "I don't have permissions to change"?

As long as you have the result below (1 0), you will not be able to use this library without root privileges:

$ sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 1   0   # functionality disabled: no user, even root, can use datagram sockets for ICMP requests
jabaa commented 2 years ago

@ValentinBELYN, I've read this part of the documentation, but the steps are not possible for me. I have to distribute software to computer systems that I don't have sudo access to. I can't 

$ sudo sysctl -w net.ipv4.ping_group_range='0 2147483647'

I don't have the permissions and 

$ sysctl -w net.ipv4.ping_group_range='0 2147483647'

without sudo doesn't work. My question was:

My company gives me a laptop with Kali Linux without sudo permission. Is it possible to send a ping without the terminal program ping? It seems like it's not possible. This laptop is the dev/test environment the software is later deployed to.

The answer is: No, it's not possible. I either have to use sudo to modify the kernel settings or to run the script.

kocic11 commented 2 years ago

I am getting the same error on the Windows server (see below). Based on the documentation, the privileged flag is ignored on Windows.

Traceback (most recent call last): File "C:\Users\opc\nvpenv\lib\site-packages\icmplib\sockets.py", line 88, in init self._sock = self._create_socket( File "C:\Users\opc\nvpenv\lib\site-packages\icmplib\sockets.py", line 486, in _create_socket return socket.socket( File "C:\Program Files\Python310\lib\socket.py", line 232, in init _socket.socket.init(self, family, type, proto, fileno) OSError: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "C:\Program Files\Python310\lib\threading.py", line 1009, in _bootstrap_inner self.run() File "C:\Program Files\Python310\lib\threading.py", line 946, in run self._target(*self._args, self._kwargs) File "C:\Users\opc\nvpenv\lib\site-packages\nvp\nvp_manager.py", line 70, in ping_monitor self.GetAllBoatStatuses() File "C:\Users\opc\nvpenv\lib\site-packages\nvp\nvp_manager.py", line 76, in GetAllBoatStatuses hosts = multiping(all_hosts, count=1, timeout=2, privileged=False)** File "C:\Users\opc\nvpenv\lib\site-packages\icmplib\multiping.py", line 267, in multiping return asyncio.run( File "C:\Program Files\Python310\lib\asyncio\runners.py", line 44, in run return loop.run_until_complete(main) File "C:\Program Files\Python310\lib\asyncio\base_events.py", line 646, in run_until_complete return future.result() File "C:\Users\opc\nvpenv\lib\site-packages\icmplib\multiping.py", line 163, in async_multiping return [task.result() for task in tasks] File "C:\Users\opc\nvpenv\lib\site-packages\icmplib\multiping.py", line 163, in return [task.result() for task in tasks] File "C:\Users\opc\nvpenv\lib\site-packages\icmplib\ping.py", line 274, in async_ping with AsyncSocket(_Socket(source, privileged)) as sock: File "C:\Users\opc\nvpenv\lib\site-packages\icmplib\sockets.py", line 97, in init raise SocketPermissionError(privileged) icmplib.exceptions.SocketPermissionError: A prior configuration of your OS is required to use ICMP sockets without root privileges. Read more on https://github.com/ValentinBELYN/icmplib