Ping doesn't work as non root user


I have an oddly specific problem with the ping tool included in the BSP. First of all, it definitely worked with an older BSP version, however, I cannot tell the exact version breaking the wheel (as it is only a network diagnostic tool which isn’t used that much by our customers).

First to the architecture:
We have dedicated user, let’s call him Bob. And we have a Qt application which is auto started with systemd running with this user.

This is the corresponding source code:

bool Network::Ping(const QString &host)
	return QProcess::execute("ping", QStringList() << "-c" << "1" << host) == QProcess::NormalExit;

Now we face the problem, that pings from our application result into the following error:

Aug 21 18:32:40 colibri-imx6 sh[386]: PING ( 56 data bytes
Aug 21 18:32:40 colibri-imx6 sh[386]: ping: permission denied (are you root?)

The message is speaking for itself, no we are note root, we are Bob.

Now the interesting part:
If I switch to the user Bob on the command line, the ping utility works as expected:

root@colibri-imx6:~# su - Bob
colibri-imx6:~$ ping
PING ( 56 data bytes
64 bytes from seq=0 ttl=56 time=14.138 ms
64 bytes from seq=1 ttl=56 time=14.726 ms
64 bytes from seq=2 ttl=56 time=10.158 ms
64 bytes from seq=3 ttl=56 time=13.993 ms
--- ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 10.158/13.253/14.726 ms

After some research on Google, i also tried the following things:

  • Setting the sticky bit with chmod +s /bin/ping
  • Configure net.ipv4.ping_group_range
  • Installing the iputils package and using those ping binary instead

Nothing from that list solved our problem, however the last one results into a different error:

Sep 16 20:52:18 colibri-imx6 sh[1161]: ping: icmp open socket: Permission denied
Sep 16 20:52:18 colibri-imx6 sh[1161]: ping: unknown host

Any suggestions on how to resolve this error?


This looks strange.

The attached code for me works on 2.8b6, could you try that on your side?

colibri-imx6:~$ ls -l                                                           
-rwxr-xr-x    1 mk       mk           12728 Sep 17 12:55 a.out                  
colibri-imx6:~$ pwd                                                             
colibri-imx6:~$ whoami                                                          
colibri-imx6:~$ ./a.out                                                         
PING ( 56 data bytes                                 
64 bytes from seq=0 ttl=53 time=31.113 ms                       
--- ping statistics ---                                              
1 packets transmitted, 1 packets received, 0% packet loss                       
round-trip min/avg/max = 31.113/31.113/31.113 ms                                
ping finished                                                                   

Does your qt program also fail if the Qt program is run as root?

Did the Qt version used change between the known good version to the failing one?

Setting the sticky bit with chmod +s /bin/ping
For busybox ping /bin/ping is symlinked to /bin/busybox.suid which as the name suggests does have the suid bit set. So no surprise that you did not observe a change.

Installing the iputils package and using those ping binary instead
I guess the full fledged ping have a different way to report the error.


Hey @max.tx !

Thanks for your response and very thank you for your input!

Your binary works - just as I expected. However it was quite dumb me that didn’t even tested running it with root, as it is not a real option for us. And it doesn’t work.

After that, I tried running it from the console (without systemd, to be exactly from Qt Creator remotely) with root and ta-da, it works.
So user rights don’t seem to be the problem. Maybe our systemd service is missing some capabilities?

The systemd service file:

Description=Company App

ExecStart=/bin/sh /home/bob/



That CapabilityBoundingSet looks like the source of ping not working.
I guess adding additionally CAP_NET_RAW would make ping work.
If that increases the devices vulnerability nees to be evaluated by you.


Hi @max.tx

Thanks, that works.
I will investigate the security impacts of CAP_NET_RAW.

BR Christian