Ping > "Operation not permitted"

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Ping > "Operation not permitted"

Post by JustinMs66 »

Code: Select all

$cmd = 'ping -c 2 http://www.yahoo.com > response.txt 2>&1';
$shellOutput = shell_exec($cmd);

i am trying to get a ping command to work with php and that returns:
ping: icmp open socket: Operation not permitted

i tried changing to owner to the user that php executes the script on, and root. it changes nothing.

can someone please help me?

also, i am running on CentOS SE, PHP 5.2.3, Apache 1.3.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

most probably shell_exec does not honor suid bit set on ping binary. if it's the case you can't do anything about it
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

you can always do something.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Maybe Weirdan is right but try to "chmod 4755 /bin/ping". I think it is SE Linux problem and I have to check it ... I'll talk to a colleague about SE Linux and suid and post it here if there is something useful :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

that worked!
i love you
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

JustinMs66 wrote:that worked!
i love you
:)))))) Cute :)

I would suggest you to use sudo and its config file /etc/sudoers instead of using SUID (that is chmod 4755). It would be more secure and additionally you would have more functionality accessible. E.g. instead of:

Code: Select all

ping -c2 yahoo.com
you could use:

Code: Select all

sudo /bin/ping -c2 -f yahoo.com
which is several times faster than the previous one.

Indeed, using sudo requires some man-pages reading but it is worth it :)

Hope it's helpful :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

I would suggest you to use sudo and its config file /etc/sudoers instead of using SUID
ping binary has always been installed with SUID bit set on every *nix system I encountered (otherwise ordinary users would not be able to use it because receiving an icmp packet requires root privileges). Since when it's necessary to use sudo to do pings? I must have missed something.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Weirdan wrote:
I would suggest you to use sudo and its config file /etc/sudoers instead of using SUID
ping binary has always been installed with SUID bit set on every *nix system I encountered (otherwise ordinary users would not be able to use it because receiving an icmp packet requires root privileges).
Yeah, I know it is SUIDed by default. That's why I've decided it is a SE Linux problem. Anyway, SUID would always be a security weakness - sudo is a better way to do it ...
Weirdan wrote:Since when it's necessary to use sudo to do pings? I must have missed something.
Yes, you missed something:
VladSun wrote:ping -c2 -f yahoo.com
the "-f" argument insists that you are really root, not just SUID...
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

the "-f" argument insists that you are really root, not just SUID...
Oh, the infamous flood pings... now I see.
Post Reply