/usr/jail/bin/ping is a hardlink to /bin/ping, a 4755 permissions root:root suid binary
Outside of a chroot, non-root users and ping hosts. Inside a chroot, however, not even root can run it:
- Code: Select all
root@falcon ~# ping google.com
PING google.com (72.14.207.99) 56(84) bytes of data.
64 bytes from eh-in-f99.google.com (72.14.207.99): icmp_seq=1 ttl=244 time=26.0 ms
root@falcon ~# chroot /usr/jail/
root@falcon /# ping google.com
ping: icmp open socket: Operation not permitted
root@falcon /# exit
I've even tried using ping w/o it being a hardlink; copy /bin/ping to /usr/jail/bin/pping, set the 4755 perms on it, still no luck.
strace reveals:
- Code: Select all
socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)
Same goes for mtr:
- Code: Select all
root@falcon ~# chroot /usr/jail/
root@falcon /# mtr google.com
mtr: unable to get raw sockets.
I've tried this with chroot restrictions both enabled and disabled in the kernel.
Haven't found anything on google or these forums... they all point to ping not having the suid bit, which it does. I don't have this problem with a non-grsec kernel
Ideas anyone?