Ad Widget

**kloczek** · 23-05-2018, 21:33

On all latest Linux distros all *ping commands are no longer suid root.

Code:

$ getcap /usr/*bin/*ping 
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/fping = cap_net_raw+ep

With all those capabilities all those programs are able to do what they need without running them under root account permission.
I don't know which one Linux distribution you are using but I'm sure that instead use binaries compiled by you you can just install fping package and all will start working as you expect.

**Prost** · 24-05-2018, 10:17

Thanks for your answer.

My Linux distribution is Debian 9.1.
For fping, it has been installed by "apt-get install fping", it's not a binary compiled.

I agree that not all these programs need running under root account permission, but I don't understand why for a lot of servers, fping check is OK, and for few servers it's not, and that the automatically uses fping6.
How can I tell Zabbix use fping and not fping6, without comment line fping6 in zabbix_server.conf ? It's a problem with configuration host ?
How zabbix can used fping without root account permission like is for a lot of server ?
And why I can fping with "su - zabbix" > "fping 8.8.8.8", and not when "su zabbix -c /usr/bin/fping 8.8.8.8 ?

I'm sorry for all this questions, but I would like to understand.

Do you need more information it can help you to solved my problem ?

Thanks

**Prost** · 24-05-2018, 10:40

Thanks for your answer.

My Linux distribution is Debian 9.1.
For fping, it has been installed by "apt-get install fping", it's not a binary compiled.

I agree that not all these programs need running under root account permission, but I don't understand why for a lot of servers, fping check is OK, and for few servers it's not, and that the automatically uses fping6.
How can I tell Zabbix use fping and not fping6, without comment line fping6 in zabbix_server.conf ? It's a problem with configuration host ?
How zabbix can used fping without root account permission like is for a lot of server ?
And why I can fping with "su - zabbix" > "fping 8.8.8.8", and not when "su zabbix -c /usr/bin/fping 8.8.8.8 ?

I'm sorry for all this questions, but I would like to understand.

Do you need more information it can help you to solved my problem ?

Thanks

**kloczek** · 24-05-2018, 11:29

Originally posted by Prost

I agree that not all these programs need running under root account permission, but I don't understand why for a lot of servers, fping check is OK, and for few servers it's not, and that the automatically uses fping6.
How can I tell Zabbix use fping and not fping6, without comment line fping6 in zabbix_server.conf ? It's a problem with configuration host ?
How zabbix can used fping without root account permission like is for a lot of server ?
And why I can fping with "su - zabbix" > "fping 8.8.8.8", and not when "su zabbix -c /usr/bin/fping 8.8.8.8 ?

If you will check what shows getcap command on fping command probably you will see that on your system is missing cap ext attribute.
in your system zabbix user simple do not have cap_net_raw privileges (because it is just non-root account) and by this fping binary shows permission denied error message.

**Prost** · 24-05-2018, 12:23

Thanks again

After your first answer, I add permission cap_net_raw on /usr/bin/fping
Now, I have :
ls -l fping
-rws--x--- 1 root zabbix 39232 Jan 11 2017 fping
and
getcap /usr/bin/fping
/usr/bin/fping = cap_net_raw+ep

The error it's the same : "fping failed: /usr/bin/fping: can't create socket (must run as root?) : Permission denied"

The permission is good ?

Thanks

**kloczek** · 24-05-2018, 12:38

Originally posted by Prost

Thanks again

After your first answer, I add permission cap_net_raw on /usr/bin/fping
Now, I have :
ls -l fping
-rws--x--- 1 root zabbix 39232 Jan 11 2017 fping
and
getcap /usr/bin/fping
/usr/bin/fping = cap_net_raw+ep

The error it's the same : "fping failed: /usr/bin/fping: can't create socket (must run as root?) : Permission denied"

The permission is good ?

Nope ..

Code:

# ls -la /usr/sbin/fping
-rwxr-xr-x. 1 root root 47312 Feb  7 10:11 /usr/sbin/fping

**Prost** · 24-05-2018, 15:47

I changed the permissions as you did
ls -l /usr/bin/fping
-rwxr-xr-x 1 root root 39232 Jan 11 2017 /usr/bin/fping
I have test with and without setcap cap_net_raw+ep /usr/bin/fping, and error message is always the same.

I don't understand why for a big part of servers it's OK, and for few others, it's not.

**kloczek** · 24-05-2018, 16:11

Originally posted by Prost

I changed the permissions as you did
ls -l /usr/bin/fping
-rwxr-xr-x 1 root root 39232 Jan 11 2017 /usr/bin/fping
I have test with and without setcap cap_net_raw+ep /usr/bin/fping, and error message is always the same.

I don't understand why for a big part of servers it's OK, and for few others, it's not.

Which one kernel version and which one type of the file system you are using on the volume where is installed fping?
Does ping work for you from non-root? is it suid root or has only ext attrs with caps?

**Prost** · 25-05-2018, 09:12

Informations asked on system :
- kernel version : 3.16.0-4-amd64
- type of the file system : ext4

For ping, it work for non-root, and here the permissions for ping :
ls -l /bin/ping
-rwxr-xr-x 1 root root 61240 Nov 10 2016 /bin/ping
getcap /bin/ping
/bin/ping = cap_net_raw+ep

Thanks again for your help.

**kloczek** · 25-05-2018, 10:33

Originally posted by Prost

Informations asked on system :
- kernel version : 3.16.0-4-amd64
- type of the file system : ext4

And that quite old version of the kernel may be kind of obstacle here because only in some of the 4.x kernels have been added using cap ext arrt to apply proper capabilities on binaries execution time..
I have no around systems with such old kernels so I cannot test this but IMO it is only possible cause.

**Prost** · 25-05-2018, 14:15

OK, thank you
Do you have an opportunity to explain to me how zabbix check works, for fping in our case ?
What I think :
- Zabbix Server send request to zabbix agent ;
- Zabbix agent execute and send result to Zabbix Server
- Zabbix server processes the returned information.

My main question is in the operation of fping. How agent can answer to server if fping isn't installed on agent ?

And, I still do not anderstand how for majority of servers, fping is OK, but for few others, it's not ?
If the problem is kernel version too old for using cap, the issue should be for all servers, isn't it ?

Ad Widget

Problem with fping

Problem with fping

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment