Interesting: icmp without priviledges or capabilities #105
Description
It should be possible to send and receive icmp pings without priviledges or capabilities:
- https://sturmflut.github.io/linux/ubuntu/2015/01/17/unprivileged-icmp-sockets-on-linux/
- https://lwn.net/Articles/420800/
Unfortunately it's not as simple as:
if( psaddr.sin6_family == AF_INET )
{
- return socket(PF_INET, SOCK_RAW, IPPROTO_ICMP);
+ return socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP);
}
else if( psaddr.sin6_family == AF_INET6 )
{
- return socket(PF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
+ return socket(PF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6);
}This compiles and runs but it shows all pings as lost. Might be easy to fix, I've just spent two minutes to make this quick test.
The usage of this kernel feature might be restricted, but I expect it to be allowed on all modern unix systems. (I may be wrong, but has probably been introduced to allow containers (docker etc.) to use ping without any priviledges. As using containers is pretty standard nowadays it is reasonable to assume that it should be allowed on all modern Linux distributions.)
# Fedora Linux 38
$ sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 0 2147483647
# Lineage OS on Pixel 3a
sargo:/ $ sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 0 2147483647
TODO
- Check for rate limiting
- Check with IPv6 (i.e. why is the kernel setting
ipv4only?) - Check on unrooted stock Android