The forum

Cant ping out from virtual drive

no permissions?

Author Replies
Ronin DUSETTE Saturday 13 July 2013 at 5:56
Ronin DUSETTE
Admin

Im trying to run a program for work, and it needs to ping out, but apparently I cannot do that. Im obviously not going to run as sudo, but I even tried changing the permissions of ping to my username and also tried 777 on the permissions, and its still giving this error:

err:winediag:IcmpCreateFile Failed to use ICMP (network ping), this requires special permissions.

Quote

Ive tried the setcap thing and all of that, and nothing has worked. Any suggestions?

Please:
Post debug logs & full computer specs in first post
No private messages for general help, use the forums
Read the wiki, Report broken scripts
petch Saturday 13 July 2013 at 8:48
petch
Developer

Hi,

The culpit is not the virtual drive (nor Wine), but just that pinging requires extra privileges (/usr/bin/ping works because it has been given those special rights).

According to https://bugs.launchpad.net/ubuntu/+source/wine1.2/+bug/518989
you can try giving NET_RAW capability to the wine-preloader executable of the Wine version used:

# setcap cap_net_raw+epi ~/.PlayOnLinux/wine/..../bin/wine-preloader


That's untested, as I don't know any other windows program that requires that.

(background info: it requires extra privileges because the program needs to be able to "craft" network packets on its own, instead of relying on the kernel providing high level facilities like for UDP or TCP; But such capability is open to network abuses).

Edited by petch

Ronin DUSETTE Saturday 13 July 2013 at 10:12
Ronin DUSETTE
Admin

Yeah. This for a work tool.

I did that, but then it kept giving me a mismatched version error, so I ran it from the shell, using env WINEPREFIX=/foo/ wine /path/to/installer.

I manually created a virtual drive and installed dependencies, then tried to run the installer via configure - run .exe, and it wouldn't ping out, but when I used the setcap it wouldn't even launch, giving me a wine mismatch (I confirmed via which wine and which wine server that it was using the system wine build. I could not figure out how to set the wine version anywhere in pol or in the files for it.

Its odd that after running set cap, it wouldn't even work period and crash pol.

Oh. I even tried to open the shell for that virtual drive and manually set the paths via export, but they don't stick.

Edited by RoninDusette


Please:
Post debug logs & full computer specs in first post
No private messages for general help, use the forums
Read the wiki, Report broken scripts
petch Saturday 13 July 2013 at 11:55
petch
Developer

Yup, did some experimentation (even without any program doing ICMP), and got the same "version mismatch" problem. Removing the capabilities immediately fixes it, so it interfers with program execution.
Tried to find some docs on capabilities, but they're clear as mud, and years later they're barely integrated in distros either... :(

Best I've found is http://blog.fpmurphy.com/2009/05/linux-security-capabilities.html, seems you either also need to set capabilities on the user, or need a wrapper that will both enable and export the capabilities on the program they wrap...

Edited by petch

Ronin DUSETTE Saturday 13 July 2013 at 12:26
Ronin DUSETTE
Admin

Hmmmm. Then it is possible. Interesting.

How would this affect the Darwin kernel? Do they use this security stuff, as well?

Please:
Post debug logs & full computer specs in first post
No private messages for general help, use the forums
Read the wiki, Report broken scripts
Ronin DUSETTE Saturday 13 July 2013 at 19:13
Ronin DUSETTE
Admin

So, setcap does not work at all for this. What I had to do was:

Change permissions on ping. I really dont see any reason why a legit user shouldnt be able to ping, so I ran:


sudo chmod 4755 /bin/ping


Then, from a POL shell in the virtual drive, I ran:


env WINEPREFIX="/home/.../.PlayOnLinux/wineprefix/prefixname/" wine "/path/to/exe"


and it ran great. I had to install IE8 and vcrun2008 for this particular program to start, but this got around the mismatched version error and bypasses the whole ping permissions thing in general. Kind of a dirty hack, but it was a lot easier than screwing around with setcap. It didnt work at all.

Now Im stuck on some .NET stuff for the rest of the apps, but I at least got that taken care of.

Please:
Post debug logs & full computer specs in first post
No private messages for general help, use the forums
Read the wiki, Report broken scripts