docker-alpine
docker-alpine copied to clipboard
gliderlabs
ping: permission denied (are you root?) flooding y
I don't know if this is a bug but today I got a weird result that can be easily reproduced.
I created a container with --cap-drop=ALL with the image 10.16.3-alpine.
Soon after I accessed the container terminal with the command:
docker exec -ti CONTAINER_ID / bin/sh and I used a basic command:
ping www.google.com
I got the result
ping: permission denied (are you root?)
out of curiosity I tried
ping www.google.com && yes or ping www.google.com; yes
I received an absurd flood of the letter Y without stopping on my console. I had to restart my machine to get out of the infinite loop.
I believe that if this has no connection to the alpine image or cannot be resolved, I think the phrase (are you root?) Should be removed.
It means that either you don't have permission to run it or it won't allow you to run it as root. The reason it's repeated printing y is that by trying to respond literally to the command, it looks like it's passing y into a bunch of pings, or some weird thing like that. Pretty sure since you're responding with yes, the ping binary is refusing to run as root.
Actually: https://stackoverflow.com/questions/49302556/why-ping-does-work-from-user-but-does-not-work-as-root-why-root-cannot-load-ex
However you might have inadvertently found a hilarious bug, but not a Docker-alpine bug. Probably busybox... Or maybe gnu? Not sure what version of ping is on alpine.
hi, based on the alpine shell outputs:
/ # ls -la /bin/ping
lrwxrwxrwx 1 root root 12 Jun 19 2019 /bin/ping -> /bin/busybox
ping (in alpine) is ported from busybox, and the original source code here, it just terminated by calling of syscall exit_group(1) after outputting error msg "ping: permission denied (are you root?)",
as an alpine linux distro it also patched some fixes (or enhancements), supposing alpine-3.10 the patched busybox details were here, the corresponding tar was found here, untar it, and got the ping patch located:
aports-*/main/busybox/0006-ping-make-ping-work-without-root-privileges.patch
this patch added another ICMP method using the datagram socket type (SOCK_DGRAM), besides the raw socket type (SOCK_RAW) in the original busybox implements.
basically ping (ICMP) needs the CAP_NET_RAW capabilities, on the alpine docker without none of capabilities '--cap-drop=ALL', both 2 types (SOCK_RAW, SOCK_DGRAM) of sockets were created failed, see below strace snips:
//1. the original busybox implements (SOCK_RAW)
socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)
//2. the patched enhancement (SOCK_DGRAM)
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied)
//output that error and terminated
write(2, "ping: permission denied (are you root?)\n", 40) = 40 <0.000209>
exit_group(1) = ?
+++ exited with 1 +++
as the codes and the strace debugging above, it didn't accept the input character 'y', so the command 'yes' just output 'y' repeatedly.
thanks
So, there are two issues. #1. Don't run ping as root. I already replied with the reason for that. #2. It's not asking a question, it's exiting and that's it's error message. So when you put in 'yes' you're entering the *nix yes command. https://www.computerhope.com/unix/yes.htm
On Thu, Apr 9, 2020, 11:45 PM harperwang [email protected] wrote:
hi, based on the alpine shell outputs:
/ # ls -la /bin/ping lrwxrwxrwx 1 root root 12 Jun 19 2019 /bin/ping -> /bin/busybox
ping (in alpine) is ported from busybox, and the original source code here https://github.com/mirror/busybox/blob/1_30_1/networking/ping.c#L187, it just terminated by calling of syscall exit_group(1) after outputting error msg "ping: permission denied (are you root?)",
as an alpine linux distro it also patched some fixes (or enhancements), supposing alpine-3.10 the patched busybox details were here https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/busybox, the corresponding tar was found here https://git.alpinelinux.org/aports/snapshot/aports-bad6ce215708bb0f2a04be3c290d573966d18c7c.tar.xz, untar it, and got the ping patch located: aports-*/main/busybox/0006-ping-make-ping-work-without-root-privileges.patch
this patch added another ICMP method using the datagram socket type ( SOCK_DGRAM), besides the raw socket type (SOCK_RAW) in the original busybox implements.
basically ping (ICMP) needs the CAP_NET_RAW capabilities http://man7.org/linux/man-pages/man7/capabilities.7.html, on the alpine docker without none of capabilities '--cap-drop=ALL', both 2 types (SOCK_RAW, SOCK_DGRAM) of sockets were created failed, see below strace snips:
//1. the original busybox implements (SOCK_RAW) socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)
//2. the patched enhancement (SOCK_DGRAM) socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied)
//output that error and terminated write(2, "ping: permission denied (are you root?)\n", 40) = 40 <0.000209> exit_group(1) = ? +++ exited with 1 +++
as the codes and the strace debugging above, it didn't accept the input character 'y', so the command 'yes' just output 'y' repeatedly.
thanks
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/gliderlabs/docker-alpine/issues/528#issuecomment-611863694, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUYLHWDAYAOJ4CSIA4OA5TRL2I7DANCNFSM4JCOGPUQ .
#1. Don't run ping as root. I already replied with the reason for that.
it needs the CAP_NET_RAW capabilities, regardless root or not.
The socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) socket doesn't require cap_net_raw or root, it just requires the net.ipv4.ping_group_range kernel setting to include a group id which your user is in
