[RndTbl] latest kernel needs setcap even as root??

Trevor Cordes trevor at tecnopolis.ca
Tue Nov 29 03:49:39 CST 2016

Just upgraded a few boxes to kernel 4.8.8-100.fc23.  It seems this latest 
kernel (or maybe 1 or 2 versions going back 1-2 months) changed something.

I have a script that generates pings (using SOCK_RAW to make its own 
packets) that I run as root.  Worked fine until now.  In the new kernel I 
get "Operation not permitted" on the socket() call.  Digging around the 
net, I found that I need to do:

setcap cap_net_raw+p /foo/myscript

Then when I run it, it works fine.

Ok, great, but *** I'm running the script as root ***!!!  Huh?  Since when 
did root need to specify capabilities to run stuff as root?  What is this, 

Is there some major paradigm change in the latest kernels where this is a 
"feature" and not a bug?  Just wanted to do a sanity check before I file a 

Oh ya, selinux is disabled, so that's not the problem.  Lots of chatter on 
the net about this problem but everyone talking about it is talking about 
the non-root use case.  It would appear my issue is something brand new.

Aside: As for the script, I'm doing really wacky stuff on purpose, and I 
really needed direct control over the packet, so I can't just abandon 

More information about the Roundtable mailing list