4

My server is running CentOS 6. I have a Sprint Broadband device connected as ppp0. This connection has a tendency to need restarted, so I'm trying to monitor it with Nagios (this is used for other monitoring of my network already). I have a nagios script written that tries to ping out over this interface using this command:

enter ping -c 1 -I ppp0 google.com | grep ttl

Running this as the root user works fine, and give me the the response of a single ping reply, or nothing if the connection is dead. However, if I run this same command as the user "nagios", I get the following error:

Warning: cannot bind to specified iface, falling back: Operation not permitted

The ping falls back to my eth0 interface for the ping.

It seems that the interface's permissions won't allow the nagios user to use it. I'm not sure what to change to allow this user to ping over this interface. Any suggestions? Thanks

dw.emplod
  • 343
  • 1
  • 4
  • 10

2 Answers2

3

Since ping needs to write raw packets, it needs root access. Normally ping would have the setuid bit set in order to accomplish this. If you check the permission of ping with, for example: stat -c %a $(which ping). Most systems would return 4775. The leading 4 is the setuid bit, which says that when running this program it runs under the uid of the user owning the file. If this is instead returning 755. You could add the setuid bit by running chmod u+s $(which ping)

stew
  • 9,263
  • 1
  • 28
  • 43
  • I looked into this and the ping command returned 4755. I tried setting it to 4775, but that didn't change anything. Thanks though. – dw.emplod Jul 10 '12 at 16:16
  • Then you've most likely got SELinux set to enforcing. You might take a look at your audit log and https://fportase.wordpress.com/selinux-policies/nagios-and-rhel-5-xx-and-6-xx-working-with-selinux-enabled/ – symcbean Jul 22 '16 at 19:21
1

On Linux, the preferred way is to give ping (or other such things) special capabilities. This avoids the pitfalls of executing with root permissions via a setuid bit (read below).

setcap cap_net_raw+ep /bin/ping

From the Archlinux Wiki:

Capabilities (POSIX 1003.1e, capabilities(7)) provide fine-grained control over superuser permissions, allowing use of the root user to be avoided. Software developers are encouraged to replace uses of the powerful setuid attribute in a system binary with a more minimal set of capabilities. Many packages make use of capabilities, such as CAP_NET_RAW being used for the ping binary provided by iputils. This enables e.g. ping to be run by a normal user (as with the setuid method), while at the same time limiting the security consequences of a potential vulnerability in ping.

h0tw1r3
  • 2,746
  • 18
  • 17