lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20111019.193435.1214580639401316303.davem@davemloft.net>
Date:	Wed, 19 Oct 2011 19:34:35 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	zenczykowski@...il.com
Cc:	maze@...gle.com, netdev@...r.kernel.org, bazsi@...abit.hu
Subject: Re: [PATCH] net: change capability used by socket options
 IP{,V6}_TRANSPARENT

From: Maciej Żenczykowski <zenczykowski@...il.com>
Date: Mon, 17 Oct 2011 15:16:23 -0700

> From: Maciej Żenczykowski <maze@...gle.com>
> 
> Up till now the IP{,V6}_TRANSPARENT socket options (which actually set
> the same bit in the socket struct) have required CAP_NET_ADMIN
> privileges to set or clear the option.
> 
> - we make clearing the bit not require any privileges.
> - we deprecate using CAP_NET_ADMIN for this purpose.
> - we allow CAP_NET_RAW to set this bit, because raw
>   sockets already effectively allow you to emulate socket
>   transparency.
> - we print a warning (but allow it) if you try to set the socket
>   option with CAP_NET_ADMIN privs, but without CAP_NET_RAW.
> 
> Signed-off-by: Maciej Żenczykowski <maze@...gle.com>

Warnings for something that has worked ever since the feature was
added, and in fact was the only way to make use of the feature, is
terrible.

You must support the status quo forever or else you risk breaking
existing setups.  So the warning is pointless, you'll never be
able to remove CAP_NET_ADMIN from these code paths, so there is
zero value in warning about it because we'll never change this.

I'm disliking these changes more and more.  I refuse to apply this
patch.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ