python非特权ICMP [英] python non-privileged ICMP
问题描述
在尝试找出从python ping(ICMP)内容的最佳方法时,我遇到了以下问题:
While trying to figure out the best method to ping (ICMP) something from python, I came across these questions:
- How can I perform a ping or traceroute in python, accessing the output as it is produced?
- ping a site in python
- How can I perform a ping or traceroute using native python?
答案通常归结为使用具有root特权的第三方模块"或使用系统的ping命令并解析输出".在本机方法中, icmplib 和 M. Cowles和J. Diemer的ping.py 明确提到需要root特权, scapy也是如此 手册.
The answers generally boil down to "use this third party module with root privileges" or "use the system's ping command and parse the output". Of the native methods, icmplib and M. Cowles and J. Diemer's ping.py explicitly mention the need for root privileges, as does the scapy manual.
因此,从这一方面来说,在本地发送没有特殊特权的ICMP ping似乎是不可能的. system ping命令确实以某种方式进行管理,但其手册页并未对此进行任何说明.另一方面, icmp手册页似乎说有可能:
So from that front, natively sending ICMP pings without special privileges seems impossible. The system ping command does manage somehow, but its man page doesn't shed any light on how. The man page for icmp, on the other hand, seems to say it's possible:
Non-privileged ICMP
ICMP sockets can be opened with the SOCK_DGRAM socket type without
requiring root privileges. The synopsis is the following:
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP)
Datagram oriented ICMP sockets offer a subset of the functionality avail-
able to raw ICMP sockets. Only IMCP request messages of the following
types can be sent: ICMP_ECHO, ICMP_TSTAMP or ICMP_MASKREQ.因此,至少根据icmp看来,这是允许的.那么为什么所有的python工具都无法做到这一点呢? python工具是否太通用,并且希望特权套接字上的任何工作都可以特权?是否可以在C中编写一个可以在没有root特权的情况下ping的ping函数,并以此扩展python?有人做过吗?我只是误解了这个问题吗?
So it would seem that, at least according to icmp, it's allowed. So why is it that all the python tools are unable to do this? Are the python tools too general and expect any work on privileged sockets to be privileged? Would it be possible to write a ping function in C that can ping without root privileges, and extend python with this? Has anyone done this? Have I just misunderstood the problem?
推荐答案
ping程序已安装为setuid root.这样,任何用户都可以使用该程序,并且仍然可以打开原始套接字.
The ping program is installed setuid root. This allows any user to use the program, and still be able to open a raw socket.
打开原始套接字后,通常会删除root特权.
After it opens the raw socket, it typically drops root privs.
通常需要原始套接字才能正确执行ICMP,并且通常限制原始套接字.因此,这根本不是python的错.
You generally need a raw socket to do ICMP correctly, and raw sockets are usually restricted. So it's not really python's fault at all.
关于上述有关ICMP的内容,显然许多实现实际上并没有很好地支持这些标志的组合.因此,大多数实现可能仅使用它们了解"在大多数/所有体系结构上的工作方式.
Regarding the bit about ICMP above, apparently many implementations don't really support those combinations of flags well. So it is likely that most implmentations just use the way they "know" works on most / all architectures.
这篇关于python非特权ICMP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
