Comment by vbezhenar
> You can just add the capability CAP_NET_RAW to your process, at which point it can ping freely
What are consequences of this capability? Seems like restricting this to root was done for a reason?
> You can just add the capability CAP_NET_RAW to your process, at which point it can ping freely
What are consequences of this capability? Seems like restricting this to root was done for a reason?
CAP_NET_RAW also allow to capture packets (tcpdump) so you really can have some fun like running a TCP stack in user space or MITM http connections: https://blog.champtar.fr/IPv6_RA_MITM/ / https://blog.champtar.fr/Metadata_MITM_root_EKS_GKE/
It lets you send raw sockets, and has some dangers (e.g. packet forgery). It's included in pretty much every container in existence (if you're running as root in the container or have ambient capabilities setup).
The goal of the capabilities system was to allow processes and users to gain a small portion of root privileges without giving them all.
In the "old days" ping on a Linux host would be setuid root, so it essentially had all of root's rights. In more modern setups it either has CAP_NET_RAW or the ping_group sysctl is used to allow non-root users to use it.