Forums

Cant ping out from virtual drive

no permissions?

Auteur Réponses
Ronin DUSETTE Samedi 13 Juillet 2013 à 5:56
Ronin DUSETTE

Im trying to run a program for work, and it needs to ping out, but apparently I cannot do that. Im obviously not going to run as sudo, but I even tried changing the permissions of ping to my username and also tried 777 on the permissions, and its still giving this error:

err:winediag:IcmpCreateFile Failed to use ICMP (network ping), this requires special permissions.

Citer

Ive tried the setcap thing and all of that, and nothing has worked. Any suggestions?

Please:
Post debug logs & full computer specs in first post
No private messages for general help, use the forums
Read the wiki, Report broken scripts
petch Samedi 13 Juillet 2013 à 8:48
petch

Hi,

The culpit is not the virtual drive (nor Wine), but just that pinging requires extra privileges (/usr/bin/ping works because it has been given those special rights).

According to https://bugs.launchpad.net/ubuntu/+source/wine1.2/+bug/518989
you can try giving NET_RAW capability to the wine-preloader executable of the Wine version used:

# setcap cap_net_raw+epi ~/.PlayOnLinux/wine/..../bin/wine-preloader


That's untested, as I don't know any other windows program that requires that.

(background info: it requires extra privileges because the program needs to be able to "craft" network packets on its own, instead of relying on the kernel providing high level facilities like for UDP or TCP; But such capability is open to network abuses).

Edité par petch

Ronin DUSETTE Samedi 13 Juillet 2013 à 10:12
Ronin DUSETTE

Yeah. This for a work tool.

I did that, but then it kept giving me a mismatched version error, so I ran it from the shell, using env WINEPREFIX=/foo/ wine /path/to/installer.

I manually created a virtual drive and installed dependencies, then tried to run the installer via configure - run .exe, and it wouldn't ping out, but when I used the setcap it wouldn't even launch, giving me a wine mismatch (I confirmed via which wine and which wine server that it was using the system wine build. I could not figure out how to set the wine version anywhere in pol or in the files for it.

Its odd that after running set cap, it wouldn't even work period and crash pol.

Oh. I even tried to open the shell for that virtual drive and manually set the paths via export, but they don't stick.

Edité par RoninDusette


Please:
Post debug logs & full computer specs in first post
No private messages for general help, use the forums
Read the wiki, Report broken scripts
petch Samedi 13 Juillet 2013 à 11:55
petch

Yup, did some experimentation (even without any program doing ICMP), and got the same "version mismatch" problem. Removing the capabilities immediately fixes it, so it interfers with program execution.
Tried to find some docs on capabilities, but they're clear as mud, and years later they're barely integrated in distros either... :(

Best I've found is http://blog.fpmurphy.com/2009/05/linux-security-capabilities.html, seems you either also need to set capabilities on the user, or need a wrapper that will both enable and export the capabilities on the program they wrap...

Edité par petch

Ronin DUSETTE Samedi 13 Juillet 2013 à 12:26
Ronin DUSETTE

Hmmmm. Then it is possible. Interesting.

How would this affect the Darwin kernel? Do they use this security stuff, as well?

Please:
Post debug logs & full computer specs in first post
No private messages for general help, use the forums
Read the wiki, Report broken scripts
Ronin DUSETTE Samedi 13 Juillet 2013 à 19:13
Ronin DUSETTE

So, setcap does not work at all for this. What I had to do was:

Change permissions on ping. I really dont see any reason why a legit user shouldnt be able to ping, so I ran:


sudo chmod 4755 /bin/ping


Then, from a POL shell in the virtual drive, I ran:


env WINEPREFIX="/home/.../.PlayOnLinux/wineprefix/prefixname/" wine "/path/to/exe"


and it ran great. I had to install IE8 and vcrun2008 for this particular program to start, but this got around the mismatched version error and bypasses the whole ping permissions thing in general. Kind of a dirty hack, but it was a lot easier than screwing around with setcap. It didnt work at all.

Now Im stuck on some .NET stuff for the rest of the apps, but I at least got that taken care of.

Please:
Post debug logs & full computer specs in first post
No private messages for general help, use the forums
Read the wiki, Report broken scripts

This site allows content generated by members, and we promptly remove any content that infringes copyright according to our Terms of Service. To report copyright infringement, please send a notice to dmcayonlinux.com