Bug#1111349: [Pkg-nagios-devel] Bug#1111349: monitoring-plugins-basic: check_icmp needs capabilities

Mon, 18 Aug 2025 00:09:12 -0700 

Control: tags -1 unreproducible

On 8/17/25 10:31 AM, Bernhard Geier wrote:

check_icmp does not work on Trixie for non-root users, as special capabilties 
are required to send ICMP packages.


It works as expected on my trixie systems:

 # sudo -u nagios /usr/lib/nagios/plugins/check_icmp -H 10.0.0.150 -v
 ttl set to 64
 Setting alarm timeout to 10 seconds
 packets: 5, targets: 1
 target_interval: 0.000, pkt_interval 80.000
 crit.rta: 500.000
 max_completion_time: 3400.000
 crit = {500000, 80%}, warn = {200000, 40%}
 pkt_interval: 80000  target_interval: 0  retry_interval: 0
 icmp_pkt_size: 76  timeout: 10
 0.181 ms rtt from 10.0.0.150, outgoing ttl: 64, incoming ttl: 64, max: 0.181, 
min: 0.181
 0.057 ms rtt from 10.0.0.150, outgoing ttl: 64, incoming ttl: 64, max: 0.181, 
min: 0.057
 0.043 ms rtt from 10.0.0.150, outgoing ttl: 64, incoming ttl: 64, max: 0.181, 
min: 0.043
 0.045 ms rtt from 10.0.0.150, outgoing ttl: 64, incoming ttl: 64, max: 0.181, 
min: 0.043
 0.045 ms rtt from 10.0.0.150, outgoing ttl: 64, incoming ttl: 64, max: 0.181, 
min: 0.043
 icmp_sent: 5  icmp_recv: 5  icmp_lost: 0
 targets: 1  targets_alive: 1
 OK -
 10.0.0.150 rta 0.074ms lost 0%|
 rta=0.074ms;200.000;500.000;0; rtmax=0.181ms;;;; rtmin=0.043ms;;;; 
pl=0%;40;80;0;100
 targets: 1, targets_alive: 1, hosts_ok: 1, hosts_warn: 0, min_hosts_alive: -1


Please consider adding the required capabilities, e.g. setcap cap_net_raw+ep 
/usr/lib/nagios/plugins/check_icmp


The linux-sysctl-defaults package does this, see:

 
https://www.debian.org/releases/trixie/release-notes/issues.en.html#ping-no-longer-runs-with-elevated-privileges

Setting in question:

 # grep -B6 ping_group_range /usr/lib/sysctl.d/50-default.conf
 # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
 # The upper limit is set to 2^31-1. Values greater than that get rejected by
 # the kernel because of this definition in linux/include/net/ping.h:
 #   #define GID_T_MAX (((gid_t)~0U) >> 1)
 # That's not so bad because values between 2^31 and 2^32-1 are reserved on
 # systemd-based systems anyway: https://systemd.io/UIDS-GIDS#summary
 -net.ipv4.ping_group_range = 0 2147483647

Kind Regards,

Bas

--
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1























					Reply via email to