New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Arch Linux Ping fails (capabilities problems) #1303
Comments
Have you tried running it with root permissions? Have you tried running WSL as admin and then run ping with root? Your strace has the line You can add the suid flag with:
However, on the Anniversary Update, at least, you still need to run WSL as admin to be able to ping. |
Yeah, in 14955 you can ping without admin, but I will try as root. Edit: Yeah Roli, it was the root thing. Setting +s doesn't work though. |
Final comment, restarting WSL fixed it after setting the setuid permission. Maybe it was some weird thing from caching permissions. |
Fwiw, on my real Arch install, I do not have to have setuid/setgid on ping. Maybe MS's implementation right now requires root for some reason. I guess I can try it out on an ubuntu VM and see if they do it there. |
The practice of using setuid can be pretty dangerous, and so it is mostly discouraged. Linux has a "capabilities" system, where you can add only specific capabilities, instead of full system access. Ping most likely needs raw socket usage, in which case you'd run:
However, I'm not sure if the WSL kernel wrapper supports capabilities. It most likely does not. I had an Arch VM laying around, and I was able to confirm this, ping does come with capabilities set:
|
Yeah, I found out it was capabilities independently, searching why Ubuntu uses setuid (apparently for backwards compatibility or something), found a bug report about it from 2014. |
WSL does support capabilities and so enforces the CAP_NET_RAW capability for raw sockets. |
@sunilmut getcap and getfattr both die silently, and setcap dies with an error message Here is the strace of
and here is the strace of
|
Thanks @fpqc. Looks like the extended attributes for 'security.capability' is not supported, but we do enforce capability checks. Adding @stehufntdev to comment on the extended attribute part.
|
@sunilmut I'm guessing that whatever capability ping should have, it does actually have, but the Also, I confirmed that getcap and setcap don't work on ubuntu either (but this is mitigated by the fact that ping is setuid in ubuntu, while it's not in Arch). |
@sunilmut - setting extended attributes is not currently supported but the work is being tracked. |
@stehufntdev Are capabilities stored in the Tried setting it outside of WSL with
But it seems to have had no effect, as under WSL both |
Sorry should have said that extended attributes are not currently supported in WSL. It's not just set but all extended attribute support. |
Support for the security.capability xattr was added in build 16226. Marking this as a duplicate of #574. |
On build 14955, installed pritunl/archlinux with @RoliSoft 's tool.
Ping works fine on the Ubuntu distros (ubuntu 16.04, 16.10, 17.06, etc), but it breaks in Arch.
It seems to be related to the failing UDP in IPV6, but I'm not sure so I'm attaching the strace -ff
strace.txt
If it's a duplicate, please close. Thanks.
The text was updated successfully, but these errors were encountered: