[Pkg-nagios-devel] Bug#1111349: Bug#1111349: monitoring-plugins-basic: check_icmp needs capabilities
Sebastiaan Couwenberg
sebastic at xs4all.nl
Mon Aug 18 07:55:20 BST 2025
Control: tags -1 unreproducible
On 8/17/25 10:31 AM, Bernhard Geier wrote:
> check_icmp does not work on Trixie for non-root users, as special capabilties are required to send ICMP packages.
It works as expected on my trixie systems:
# sudo -u nagios /usr/lib/nagios/plugins/check_icmp -H 10.0.0.150 -v
ttl set to 64
Setting alarm timeout to 10 seconds
packets: 5, targets: 1
target_interval: 0.000, pkt_interval 80.000
crit.rta: 500.000
max_completion_time: 3400.000
crit = {500000, 80%}, warn = {200000, 40%}
pkt_interval: 80000 target_interval: 0 retry_interval: 0
icmp_pkt_size: 76 timeout: 10
0.181 ms rtt from 10.0.0.150, outgoing ttl: 64, incoming ttl: 64, max: 0.181, min: 0.181
0.057 ms rtt from 10.0.0.150, outgoing ttl: 64, incoming ttl: 64, max: 0.181, min: 0.057
0.043 ms rtt from 10.0.0.150, outgoing ttl: 64, incoming ttl: 64, max: 0.181, min: 0.043
0.045 ms rtt from 10.0.0.150, outgoing ttl: 64, incoming ttl: 64, max: 0.181, min: 0.043
0.045 ms rtt from 10.0.0.150, outgoing ttl: 64, incoming ttl: 64, max: 0.181, min: 0.043
icmp_sent: 5 icmp_recv: 5 icmp_lost: 0
targets: 1 targets_alive: 1
OK -
10.0.0.150 rta 0.074ms lost 0%|
rta=0.074ms;200.000;500.000;0; rtmax=0.181ms;;;; rtmin=0.043ms;;;; pl=0%;40;80;0;100
targets: 1, targets_alive: 1, hosts_ok: 1, hosts_warn: 0, min_hosts_alive: -1
> Please consider adding the required capabilities, e.g. setcap cap_net_raw+ep /usr/lib/nagios/plugins/check_icmp
The linux-sysctl-defaults package does this, see:
https://www.debian.org/releases/trixie/release-notes/issues.en.html#ping-no-longer-runs-with-elevated-privileges
Setting in question:
# grep -B6 ping_group_range /usr/lib/sysctl.d/50-default.conf
# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
# The upper limit is set to 2^31-1. Values greater than that get rejected by
# the kernel because of this definition in linux/include/net/ping.h:
# #define GID_T_MAX (((gid_t)~0U) >> 1)
# That's not so bad because values between 2^31 and 2^32-1 are reserved on
# systemd-based systems anyway: https://systemd.io/UIDS-GIDS#summary
-net.ipv4.ping_group_range = 0 2147483647
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
More information about the Pkg-nagios-devel
mailing list