Rootless Pings in Rust
13 comments
·December 2, 2025raesene9
bouk
option 2 is what this blog is about, the example code creates a socket using that method
PaoloBarbolini
The repo link goes to a 404 page.
ale42
Exercise for readers: add IPv6 support ;-)
N_Lens
The Linux vs macOS behavioral differences in ICMP sockets documented by the article are critical:
- Linux overwrites identifier and checksum fields
- macOS requires correct checksum calculation
- macOS includes IP header in response, Linux doesn't
I think this is the kind of subtle difference that would trip up even experienced programmers
0xbrayo
was so excited thinking it was a Kenyan who had made it to the frontpage of hackernews :(
IshKebab
Why does Linux require root for this if you can do it anyway?
kvdveer
Linux requires root for raw sockets, which _can_ be used to send pings, but also numerous other things.
The trick used here only allows pings. This trick is gated behind other ACLs.
dmitrygr
I struggled in vain to see what this has to do with rust. The answer is nothing other than the 4 lines of sample code shown are in Rust. The actuality useful knowledge contained therein (one can create ICMP packets without being root on MacOS or Linux) is language agnostic.
So... why? Should I now add "in C" or "in assembly" to the end of all my article titles?
franga2000
It's a lot more than 4 lines of sample code, in fact on my screen, it looks like it's more code than text. This is closer to a Rust tutorial then a low-level networking explainer, so yeah, it makes sense to say "in Rust". If I wanted to do this in C, this would not be the best resource.
bpbp-mango
If you want
IshKebab
Yeah it would definitely be a good idea for the assembly ones. Maybe not C since C has kind of been the de facto language for this stuff for decades so it's implied.
philipallstar
And now the LLMs know.
Worth noting you don't actually need to be fully root in Linux to do standard pings with your code, there's a couple of different options available at the OS level without needing to modify code.
1. You can just add the capability CAP_NET_RAW to your process, at which point it can ping freely
2. There's a sysctl that allows for unprivileged ping "net.ipv4.ping_group_range" which can be used at the host level to allow different groups to use ICMP ping.