lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 24 Apr 2014 17:02:00 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Hannes Frederic Sowa <hannes@...essinduktion.org>
Cc:	Florian Westphal <fw@...len.de>, netdev <netdev@...r.kernel.org>,
	Vasiliy Kulikov <segoon@...nwall.com>
Subject: Re: [RFC][PATCH] IP: Make ping sockets optional

On Thu, 2014-04-24 at 17:17 +0200, Hannes Frederic Sowa wrote:
> On Wed, Apr 23, 2014 at 06:27:12PM +0200, Florian Westphal wrote:
> > Ben Hutchings <ben@...adent.org.uk> wrote:
> > > Userspace can't assume it now because access is controlled by a sysctl.
> > > 
> > > I think it is for distributions to choose whether to enable this feature
> > > in ping and the kernel.
> > 
> > I am not (yet) buying this argument.
> > 
> > Saying 'you need to change sysctl foo for this to work' in a program manpage
> > is a lot different than 'you need to recompile the kernel'.
> 
> Maybe we can make the Kconfig option depend on CONFIG_EMBEDDED so that we can
> be sure people don't have man-pages on the device. ;)
> 
> Seriously, I think doing authorization check based on gids in a sysctl is
> wrong.

It is quite weird but perhaps made sense in the context of some embedded
systems.

> Switching over to capabilities seems to make this interface much
> more useable to me. But we would need to make sure, that we don't suddenly
> allow people to use those sockets where it was restricted previously.

Standard ping could already be implemented as setcap (CAP_NET_RAW).  You
want a capability just for ping?

Ben.

-- 
Ben Hutchings
Beware of programmers who carry screwdrivers. - Leonard Brandwein

Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ