| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20070206.114659.107250775.davem@davemloft.net> Date: Tue, 06 Feb 2007 11:46:59 -0800 (PST) From: David Miller <davem@...emloft.net> To: hidden@...abit.hu Cc: kaber@...sh.net, netfilter-devel@...ts.netfilter.org, netdev@...r.kernel.org Subject: Re: IP_FREEBIND and CAP_NET_ADMIN From: KOVACS Krisztian <hidden@...abit.hu> Date: Tue, 6 Feb 2007 15:36:18 +0100 > Neither of these require IP_FREEBIND as core functionality, and will > probably work if IP_FREEBIND would be bound to CAP_NET_ADMIN. > > So the question is: shall we take the IP_FREEBIND approach, this would > change a hardly ever used interface by requiring CAP_NET_ADMIN > capabilities, or we should try finding all the scattered places in the > Linux IP stack which does a route lookup? We're not going to remove functionality from the user for the sake of convenience of something you are trying to write. If it was some security hole, then fine, but it's not so it can stay and it does have legitimate uses. This freebind behavior should actually be the default, but we had to put the socket option and sysctl there because allowing freebind by default makes several test suites fail that try to purposely bind to a non-local address and expect an error return. It allows servers to bind when your on-demand connection is down. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists