I thought that I'd grasped the basics of file permissions and capabilities. But now - what's that?
1. verify that there's no SETUID bit set:
$ ll /bin/ping
-rwxr-xr-x 1 root root 72776 Jan 31 00:11 /bin/ping*
2. verify that there're no capabilities set:
$ getcap /bin/ping
/bin/ping =
3. use ping
$ /bin/ping google.com
PING google.com(qro01s18-in-x0e.1e100.net (2607:f8b0:4012:80a::200e)) 56 data bytes
64 bytes from qro01s18-in-x0e.1e100.net (2607:f8b0:4012:80a::200e): icmp_seq=2 ttl=120 time=418 ms
64 bytes from qro01s18-in-x0e.1e100.net (2607:f8b0:4012:80a::200e): icmp_seq=3 ttl=120 time=102 ms
4. verify that an raw socket is opened:
$ strace -e socket ping google.com
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = 3
socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = 4
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 5
socket(AF_NETLINK, **SOCK_RAW**|SOCK_CLOEXEC, NETLINK_ROUTE) = 5
>> So why the heck is /bin/ping allowed or capable of opening a SOCK_RAW without SETUID nor cap_net_raw? NOTE: I'm of course not root trying that! I'm using Linux Mint Ulyana.
Creating (normal) ICMP packets does not require special permissions anymore. You can use
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = 3
socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = 4
sockets (from your logs in 4).
The SOCK_RAW marked by you in
socket(AF_NETLINK, **SOCK_RAW**|SOCK_CLOEXEC, NETLINK_ROUTE) = 5
is a NETLINK socket and used to check whether IPv6 can be used (call "ping" with "-4" or "-6" to see the difference). These kind of sockets does not require special permissions either.