Page 1 of 1
Ping > "Operation not permitted"
Posted: Mon Sep 03, 2007 3:04 pm
by JustinMs66
Code: Select all
$cmd = 'ping -c 2 http://www.yahoo.com > response.txt 2>&1';
$shellOutput = shell_exec($cmd);
i am trying to get a ping command to work with php and that returns:
ping: icmp open socket: Operation not permitted
i tried changing to owner to the user that php executes the script on, and root. it changes nothing.
can someone please help me?
also, i am running on CentOS SE, PHP 5.2.3, Apache 1.3.
Posted: Mon Sep 03, 2007 3:24 pm
by Weirdan
most probably shell_exec does not honor suid bit set on ping binary. if it's the case you can't do anything about it
Posted: Mon Sep 03, 2007 3:58 pm
by JustinMs66
you can always do something.
Posted: Mon Sep 03, 2007 4:07 pm
by VladSun
Maybe Weirdan is right but try to "chmod 4755 /bin/ping". I think it is SE Linux problem and I have to check it ... I'll talk to a colleague about SE Linux and suid and post it here if there is something useful

Posted: Mon Sep 03, 2007 4:20 pm
by JustinMs66
that worked!
i love you
Posted: Mon Sep 03, 2007 5:18 pm
by VladSun
JustinMs66 wrote:that worked!
i love you

))))) Cute
I would suggest you to use sudo and its config file /etc/sudoers instead of using SUID (that is chmod 4755). It would be more secure and additionally you would have more functionality accessible. E.g. instead of:
you could use:
which is several times faster than the previous one.
Indeed, using sudo requires some man-pages reading but it is worth it
Hope it's helpful

Posted: Tue Sep 04, 2007 4:44 pm
by Weirdan
I would suggest you to use sudo and its config file /etc/sudoers instead of using SUID
ping binary has always been installed with SUID bit set on every *nix system I encountered (otherwise ordinary users would not be able to use it because receiving an icmp packet requires root privileges). Since when it's necessary to use sudo to do pings? I must have missed something.
Posted: Tue Sep 04, 2007 5:17 pm
by VladSun
Weirdan wrote:
I would suggest you to use sudo and its config file /etc/sudoers instead of using SUID
ping binary has always been installed with SUID bit set on every *nix system I encountered (otherwise ordinary users would not be able to use it because receiving an icmp packet requires root privileges).
Yeah, I know it is SUIDed by default. That's why I've decided it is a SE Linux problem. Anyway, SUID would always be a security weakness - sudo is a better way to do it ...
Weirdan wrote:Since when it's necessary to use sudo to do pings? I must have missed something.
Yes, you missed something:
VladSun wrote:ping -c2 -f yahoo.com
the "-f" argument insists that you are really root, not just SUID...
Posted: Wed Sep 05, 2007 1:51 am
by Weirdan
the "-f" argument insists that you are really root, not just SUID...
Oh, the infamous flood pings... now I see.