how to run `hping` without `sudo`

I've installed hping using brew install hping.

When I run hping without sudo I get:

$ hping 8.8.8.8
[open_sockraw] socket(): Operation not permitted
[main] can't open raw socket

When I run sudo hping, naturally, I get:

$ sudo hping -S -p 80 8.8.8.8
Password:
HPING 8.8.8.8 (en0 8.8.8.8): S set, 40 headers + 0 data bytes
len=46 ip=8.8.8.8 ttl=57 id=332 sport=80 flags=RA seq=0 win=512 rtt=1.4 ms
len=46 ip=8.8.8.8 ttl=57 id=46923 sport=80 flags=RA seq=1 win=512 rtt=2.7 ms
len=46 ip=8.8.8.8 ttl=57 id=25098 sport=80 flags=RA seq=2 win=512 rtt=2.2 ms
^C
--- 8.8.8.8 hping statistic ---
8 packets tramitted, 8 packets received, 0% packet loss
round-trip min/avg/max = 1.4/2.4/2.9 ms

My question here is, what permissions need to be changed to give hping the permissions it needs - and how do I do that?


Solution 1:

To change the behavior of hping you have to change user:group of the executable and add the setuid flag:

sudo chown root:wheel /usr/local/Cellar/hping/3.20051105/sbin/hping3
sudo chmod u+s /usr/local/Cellar/hping/3.20051105/sbin/hping3

(just to remember: /usr/local/sbin/hping|hping2|hping3 are finally soft-linked to /usr/local/Cellar/hping/<​version_nr>/sbin/hping3)

Some hping options are disabled if the s flag is set!


For security reasons a different approach is preferred therefore: Making a program always run as root in OS X!

Solution 2:

It is always a security risk to run a binary as root. The better way of doing things would be to set the unix raw socket capability.

sudo setcap cap_net_raw+ep /usr/bin/hping3

That way the you dont give the binary permissions that it doesnt need.

(You can also look at set capabilites, e.g.: getcap /bin/ping)