Page 1 of 1

Ping > "Operation not permitted"

Posted: Mon Sep 03, 2007 3:04 pm
by JustinMs66

Code: Select all

$cmd = 'ping -c 2 http://www.yahoo.com > response.txt 2>&1';
$shellOutput = shell_exec($cmd);

i am trying to get a ping command to work with php and that returns:
ping: icmp open socket: Operation not permitted

i tried changing to owner to the user that php executes the script on, and root. it changes nothing.

can someone please help me?

also, i am running on CentOS SE, PHP 5.2.3, Apache 1.3.

Posted: Mon Sep 03, 2007 3:24 pm
by Weirdan
most probably shell_exec does not honor suid bit set on ping binary. if it's the case you can't do anything about it

Posted: Mon Sep 03, 2007 3:58 pm
by JustinMs66
you can always do something.

Posted: Mon Sep 03, 2007 4:07 pm
by VladSun
Maybe Weirdan is right but try to "chmod 4755 /bin/ping". I think it is SE Linux problem and I have to check it ... I'll talk to a colleague about SE Linux and suid and post it here if there is something useful :)

Posted: Mon Sep 03, 2007 4:20 pm
by JustinMs66
that worked!
i love you

Posted: Mon Sep 03, 2007 5:18 pm
by VladSun
JustinMs66 wrote:that worked!
i love you
:)))))) Cute :)

I would suggest you to use sudo and its config file /etc/sudoers instead of using SUID (that is chmod 4755). It would be more secure and additionally you would have more functionality accessible. E.g. instead of:

Code: Select all

ping -c2 yahoo.com
you could use:

Code: Select all

sudo /bin/ping -c2 -f yahoo.com
which is several times faster than the previous one.

Indeed, using sudo requires some man-pages reading but it is worth it :)

Hope it's helpful :)

Posted: Tue Sep 04, 2007 4:44 pm
by Weirdan
I would suggest you to use sudo and its config file /etc/sudoers instead of using SUID
ping binary has always been installed with SUID bit set on every *nix system I encountered (otherwise ordinary users would not be able to use it because receiving an icmp packet requires root privileges). Since when it's necessary to use sudo to do pings? I must have missed something.

Posted: Tue Sep 04, 2007 5:17 pm
by VladSun
Weirdan wrote:
I would suggest you to use sudo and its config file /etc/sudoers instead of using SUID
ping binary has always been installed with SUID bit set on every *nix system I encountered (otherwise ordinary users would not be able to use it because receiving an icmp packet requires root privileges).
Yeah, I know it is SUIDed by default. That's why I've decided it is a SE Linux problem. Anyway, SUID would always be a security weakness - sudo is a better way to do it ...
Weirdan wrote:Since when it's necessary to use sudo to do pings? I must have missed something.
Yes, you missed something:
VladSun wrote:ping -c2 -f yahoo.com
the "-f" argument insists that you are really root, not just SUID...

Posted: Wed Sep 05, 2007 1:51 am
by Weirdan
the "-f" argument insists that you are really root, not just SUID...
Oh, the infamous flood pings... now I see.