| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Apr 2014 17:17:48 +0200 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Florian Westphal <fw@...len.de> Cc: Ben Hutchings <ben@...adent.org.uk>, netdev <netdev@...r.kernel.org>, Vasiliy Kulikov <segoon@...nwall.com> Subject: Re: [RFC][PATCH] IP: Make ping sockets optional On Wed, Apr 23, 2014 at 06:27:12PM +0200, Florian Westphal wrote: > Ben Hutchings <ben@...adent.org.uk> wrote: > > Userspace can't assume it now because access is controlled by a sysctl. > > > > I think it is for distributions to choose whether to enable this feature > > in ping and the kernel. > > I am not (yet) buying this argument. > > Saying 'you need to change sysctl foo for this to work' in a program manpage > is a lot different than 'you need to recompile the kernel'. Maybe we can make the Kconfig option depend on CONFIG_EMBEDDED so that we can be sure people don't have man-pages on the device. ;) Seriously, I think doing authorization check based on gids in a sysctl is wrong. Switching over to capabilities seems to make this interface much more useable to me. But we would need to make sure, that we don't suddenly allow people to use those sockets where it was restricted previously. Greetings, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists