| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Apr 2014 18:37:12 +0200 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Ben Hutchings <ben@...adent.org.uk> Cc: Florian Westphal <fw@...len.de>, netdev <netdev@...r.kernel.org>, Vasiliy Kulikov <segoon@...nwall.com>, lorenzo@...gle.com Subject: Re: [RFC][PATCH] IP: Make ping sockets optional On Thu, Apr 24, 2014 at 05:02:00PM +0100, Ben Hutchings wrote: > On Thu, 2014-04-24 at 17:17 +0200, Hannes Frederic Sowa wrote: > > On Wed, Apr 23, 2014 at 06:27:12PM +0200, Florian Westphal wrote: > > > Ben Hutchings <ben@...adent.org.uk> wrote: > > > > Userspace can't assume it now because access is controlled by a sysctl. > > > > > > > > I think it is for distributions to choose whether to enable this feature > > > > in ping and the kernel. > > > > > > I am not (yet) buying this argument. > > > > > > Saying 'you need to change sysctl foo for this to work' in a program manpage > > > is a lot different than 'you need to recompile the kernel'. > > > > Maybe we can make the Kconfig option depend on CONFIG_EMBEDDED so that we can > > be sure people don't have man-pages on the device. ;) > > > > Seriously, I think doing authorization check based on gids in a sysctl is > > wrong. > > It is quite weird but perhaps made sense in the context of some embedded > systems. The origins of this interface are in the openwall project. I assume embedded devices were not that high up on their agenda. > > Switching over to capabilities seems to make this interface much > > more useable to me. But we would need to make sure, that we don't suddenly > > allow people to use those sockets where it was restricted previously. > > Standard ping could already be implemented as setcap (CAP_NET_RAW). You > want a capability just for ping? That came to my mind at first, yes. Hm, that's quite difficult: I don't think we can stop respecting ping_group_range. So one possibility is to just always allow icmp socket access if CAP_NET_RAW is in the effective set *or* user is in a valid gid. But why should people switch to icmp sockets and why should we add more code to iputils then if they also have full CAP_NET_RAW? We could be nitpicking and add a new capability, but I would be too lazy to do that for the very little gain to give users only access to ping/traceroute without giving access to the whole NET_RAW world. We absolutely cannot abandon the interface as it already is in use by android, as Lorenzo stated. Will android switch to file based capabilities in some time? Is that possible? I think I am in favour of the Kconfig option that it can be disabled or compiled as a module (maybe only visible with CONFIG_EMBEDDED) and push that on the deprecated list as file based capabilities made this socket type unnecessary. Any thoughts? Bye, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists