ping: permission denied (are you root?) flooding y

[pedroricardo]

I don't know if this is a bug but today I got a weird result that can be easily reproduced.

I created a container with --cap-drop=ALL with the image 10.16.3-alpine. Soon after I accessed the container terminal with the command: docker exec -ti CONTAINER_ID / bin/sh and I used a basic command: ping www.google.com I got the result ping: permission denied (are you root?) out of curiosity I tried ping www.google.com && yes or ping www.google.com; yes I received an absurd flood of the letter Y without stopping on my console. I had to restart my machine to get out of the infinite loop.

I believe that if this has no connection to the alpine image or cannot be resolved, I think the phrase (are you root?) Should be removed.

[AXington]

It means that either you don't have permission to run it or it won't allow you to run it as root. The reason it's repeated printing y is that by trying to respond literally to the command, it looks like it's passing y into a bunch of pings, or some weird thing like that. Pretty sure since you're responding with yes, the ping binary is refusing to run as root.

Actually: https://stackoverflow.com/questions/49302556/why-ping-does-work-from-user-but-does-not-work-as-root-why-root-cannot-load-ex

However you might have inadvertently found a hilarious bug, but not a Docker-alpine bug. Probably busybox... Or maybe gnu? Not sure what version of ping is on alpine.

[inter169]

hi, based on the alpine shell outputs:

/ # ls -la /bin/ping
lrwxrwxrwx    1 root     root            12 Jun 19  2019 /bin/ping -> /bin/busybox

ping (in alpine) is ported from busybox, and the original source code here, it just terminated by calling of syscall exit_group(1) after outputting error msg "ping: permission denied (are you root?)",

as an alpine linux distro it also patched some fixes (or enhancements), supposing alpine-3.10 the patched busybox details were here, the corresponding tar was found here, untar it, and got the ping patch located: aports-*/main/busybox/0006-ping-make-ping-work-without-root-privileges.patch this patch added another ICMP method using the datagram socket type (SOCK_DGRAM), besides the raw socket type (SOCK_RAW) in the original busybox implements.

basically ping (ICMP) needs the CAP_NET_RAW capabilities, on the alpine docker without none of capabilities '--cap-drop=ALL', both 2 types (SOCK_RAW, SOCK_DGRAM) of sockets were created failed, see below strace snips:

//1. the original busybox implements (SOCK_RAW)
socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)

//2. the patched enhancement (SOCK_DGRAM)
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied)

//output that error and terminated
write(2, "ping: permission denied (are you root?)\n", 40) = 40 <0.000209>
exit_group(1)     = ?
+++ exited with 1 +++

as the codes and the strace debugging above, it didn't accept the input character 'y', so the command 'yes' just output 'y' repeatedly.

thanks

[AXington]

So, there are two issues.

1. Don't run ping as root. I already replied with the reason for that.

2. It's not asking a question, it's exiting and that's it's error message.

So when you put in 'yes' you're entering the *nix yes command. https://www.computerhope.com/unix/yes.htm

On Thu, Apr 9, 2020, 11:45 PM harperwang notifications@github.com wrote:

hi, based on the alpine shell outputs:

/ # ls -la /bin/ping lrwxrwxrwx 1 root root 12 Jun 19 2019 /bin/ping -> /bin/busybox

ping (in alpine) is ported from busybox, and the original source code here https://github.com/mirror/busybox/blob/1_30_1/networking/ping.c#L187, it just terminated by calling of syscall exit_group(1) after outputting error msg "ping: permission denied (are you root?)",

as an alpine linux distro it also patched some fixes (or enhancements), supposing alpine-3.10 the patched busybox details were here https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/busybox, the corresponding tar was found here https://git.alpinelinux.org/aports/snapshot/aports-bad6ce215708bb0f2a04be3c290d573966d18c7c.tar.xz, untar it, and got the ping patch located: aports-*/main/busybox/0006-ping-make-ping-work-without-root-privileges.patch

this patch added another ICMP method using the datagram socket type ( SOCK_DGRAM), besides the raw socket type (SOCK_RAW) in the original busybox implements.

basically ping (ICMP) needs the CAP_NET_RAW capabilities http://man7.org/linux/man-pages/man7/capabilities.7.html, on the alpine docker without none of capabilities '--cap-drop=ALL', both 2 types (SOCK_RAW, SOCK_DGRAM) of sockets were created failed, see below strace snips:

//1. the original busybox implements (SOCK_RAW) socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)

//2. the patched enhancement (SOCK_DGRAM) socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied)

//output that error and terminated write(2, "ping: permission denied (are you root?)\n", 40) = 40 <0.000209> exit_group(1) = ? +++ exited with 1 +++

as the codes and the strace debugging above, it didn't accept the input character 'y', so the command 'yes' just output 'y' repeatedly.

thanks

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/gliderlabs/docker-alpine/issues/528#issuecomment-611863694, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUYLHWDAYAOJ4CSIA4OA5TRL2I7DANCNFSM4JCOGPUQ .

[inter169]

1. Don't run ping as root. I already replied with the reason for that.

it needs the CAP_NET_RAW capabilities, regardless root or not.

[leshow]

The socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) socket doesn't require cap_net_raw or root, it just requires the net.ipv4.ping_group_range kernel setting to include a group id which your user is in