On Tue, Feb 24, 2026 at 10:49:04PM +1100, James Tocknell wrote: > A script which shows the issue is (run as a non-root user): > > $ sudo ip netns add temp && > sudo ip -netns temp link set lo up && > sudo ip netns exec temp su $USER -c "ping 127.0.0.1" > [sudo] password for <user>: > ping: socktype: SOCK_RAW > ping: socket: Operation not permitted > ping: => missing cap_net_raw+p capability or setuid? > > You can call sysctl with a modified net.ipv4.ping_group_range range > within the namespace, but that requires that it occurs in every new > namespace, whereas the capability addition can be done once.
Correct. > The example of how iproute2 handles optionally adding capabilities is at > https://salsa.debian.org/kernel-team/iproute2/-/blob/debian/sid/debian/iproute2.postinst, > I can port this over for ping and make a merge request on salsa if > that would help? No, we removed that code deliberately some time ago, and will not be installing ping with additional capabilities in the future. https://salsa.debian.org/debian/iputils/-/commit/b86c32f4c502b95bab6e37b5947a28a25fcbb6a1#ea5e2ec0d0cf357b4a00c4bc209030230895b2bd noah
