| ▲ | vbezhenar 6 hours ago | |||||||
> You can just add the capability CAP_NET_RAW to your process, at which point it can ping freely What are consequences of this capability? Seems like restricting this to root was done for a reason? | ||||||||
| ▲ | raesene9 6 hours ago | parent [-] | |||||||
It lets you send raw sockets, and has some dangers (e.g. packet forgery). It's included in pretty much every container in existence (if you're running as root in the container or have ambient capabilities setup). The goal of the capabilities system was to allow processes and users to gain a small portion of root privileges without giving them all. In the "old days" ping on a Linux host would be setuid root, so it essentially had all of root's rights. In more modern setups it either has CAP_NET_RAW or the ping_group sysctl is used to allow non-root users to use it. | ||||||||
| ||||||||