| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 4 Jul 2010 00:48:13 +0100 From: Alexander Clouter <alex@...riz.org.uk> To: Philip Prindeville <philipp_subx@...fish-solutions.com> Cc: netdev@...r.kernel.org Subject: Re: setsockopt(IP_TOS) being privileged or distinct capability? Hi, * Philip Prindeville <philipp_subx@...fish-solutions.com> [2010-07-03 17:07:52-0600]: > > On 7/3/10 12:55 PM, Alexander Clouter wrote: >> >>> Does anyone else think that setsockopt(IP_TOS) should be a privileged >>> operation, perhaps using CAP_NET_ADMIN, or maybe even adding separate >>> granularity as CAP_NET_TOS? >>> >>> >> I really would prefer not having to run telnet and ssh *clients* as >> root. :) > > Don't ping and traceroute -I currently run as root? > Indeed, but I have no idea what that has to do with ToS/DSCP flags? ping and (old skool) traceroute use ICMP where you need to open a privileged socket; to send and receive ICMP packets. Opening a UDP/TCP is an unprivileged operation and so is setsockopt(IP_TOS). I'm guessing, if you excuse me Google-stalking you), this is all linked to: https://bugzilla.mindrot.org/show_bug.cgi?id=1733 You have to bear in mind ToS is a marking that userland can utilise to request that the network provides it with a particular QoS, this does not mean for an instant the network has to honour that (I know my ISP does not and neither does my work network I sysadmin for)...otherwise nothing would stop me using: iptables -t mangle -I POSTROUTING -j DSCP --set-dscp-class EF QoS is meaningless unless you place boundaries on the policies; the ToS/DSCP marking should only be used as a *hint* for classification of traffic flows. For example, 'interactive' and 'low latency' (in the case of SSH or telnet) should not exceed 10kB/s...unless you like to play 0verkill :) Anything marking it's traffic as interactive but shutting traffic at 500kB/s is obviously telling lies. If you build your policing rules to blindly accept whatever is in the ToS/DSCP field, you are configuring a DoS vector on your network. Cheers -- Alexander Clouter .sigmonster says: A rolling stone gathers momentum. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists