The usage of ping require that to run as root. And this can open a big security issue as the paramater host of the function "check_ping" can be used for a root command injection.
I know that this is not going to be exposed on Internet, but I think it should be fixed in any case.
I am at work, but I can open a PR fixing it later.
It doesn't need to be fixed. There isn't an issue here.
Depending on the OS, ping is either set setuid[1] as root, or more commonly these days, ping is granted a "capability"[2], such as CAP_NET_RAW on Linux. macOS does things a little different[3].
This allows non-root users to run stuff like ping without granting them full root access. You do not need to, nor should you, run the script as root.
% ls -l /usr/bin/ping
-rwxr-xr-x 1 root root 89768 Apr 8 09:00 /usr/bin/ping
% getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep
~
% whoami
jake
~
% id
uid=1000(jake) gid=1000(jake) groups=1000(jake),4(adm),24(cdrom)
% ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=117 time=9.195 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=8.837 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=10.998 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 8.837/9.677/10.998/0.946 ms
Hope that helps. Happy to elaborate on any unclear points.
Further, I'm not sure you can do command injection, as the the `host` variable is treated as a single token in the shell call. `host = "google.com; wget exploit"` won't run `wget exploit`.
Happy to learn if there's a more nefarious trick that gets around this, though.
On Linux, "net.ipv4.ping_group_range" is typically used to allow unprivileged users to do ICMP echo requests. Setting the setuid bit or granting a capability are both very old ways of doing this.
ping_group_range (two integers; default: see below; since Linux 2.6.39)
Range of the group IDs (minimum and maximum group IDs,
inclusive) that are allowed to create ICMP Echo sockets.
>>The default is "1 0", which means no group is allowed to
create ICMP Echo sockets.<<
This would seem to indicate this isn't being used -- at least on Ubuntu? What am I missing?
TL;DR: apples and oranges. Plus, monitoring is hard.
"urllib.request" sends an HTTP request. It implies that the thing you want to monitor is an HTTP endpoint. Even if that's true, you still have to decide whether you're okay with just getting a 200 status code back, or whether you want to scrape the page for a certain result as your signal of healthy or broken.
"ping" is an ICMP echo/reply. Ignoring that ICMP messages can be blocked by routers, an ICMP reply can tell you that the host's network interface is alive and that's about all. It doesn't mean any service on that host is online. I have seen hosts that send ICMP replies but were otherwise fully hung by some storage or kernel issue.
I know that this is not going to be exposed on Internet, but I think it should be fixed in any case. I am at work, but I can open a PR fixing it later.