lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140424163712.GJ1960@order.stressinduktion.org>
Date:	Thu, 24 Apr 2014 18:37:12 +0200
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Ben Hutchings <ben@...adent.org.uk>
Cc:	Florian Westphal <fw@...len.de>, netdev <netdev@...r.kernel.org>,
	Vasiliy Kulikov <segoon@...nwall.com>, lorenzo@...gle.com
Subject: Re: [RFC][PATCH] IP: Make ping sockets optional

On Thu, Apr 24, 2014 at 05:02:00PM +0100, Ben Hutchings wrote:
> On Thu, 2014-04-24 at 17:17 +0200, Hannes Frederic Sowa wrote:
> > On Wed, Apr 23, 2014 at 06:27:12PM +0200, Florian Westphal wrote:
> > > Ben Hutchings <ben@...adent.org.uk> wrote:
> > > > Userspace can't assume it now because access is controlled by a sysctl.
> > > > 
> > > > I think it is for distributions to choose whether to enable this feature
> > > > in ping and the kernel.
> > > 
> > > I am not (yet) buying this argument.
> > > 
> > > Saying 'you need to change sysctl foo for this to work' in a program manpage
> > > is a lot different than 'you need to recompile the kernel'.
> > 
> > Maybe we can make the Kconfig option depend on CONFIG_EMBEDDED so that we can
> > be sure people don't have man-pages on the device. ;)
> > 
> > Seriously, I think doing authorization check based on gids in a sysctl is
> > wrong.
> 
> It is quite weird but perhaps made sense in the context of some embedded
> systems.

The origins of this interface are in the openwall project. I assume
embedded devices were not that high up on their agenda.

> > Switching over to capabilities seems to make this interface much
> > more useable to me. But we would need to make sure, that we don't suddenly
> > allow people to use those sockets where it was restricted previously.
> 
> Standard ping could already be implemented as setcap (CAP_NET_RAW).  You
> want a capability just for ping?

That came to my mind at first, yes.

Hm, that's quite difficult:

I don't think we can stop respecting ping_group_range. So one possibility
is to just always allow icmp socket access if CAP_NET_RAW is in the
effective set *or* user is in a valid gid. But why should people switch
to icmp sockets and why should we add more code to iputils then if they
also have full CAP_NET_RAW?

We could be nitpicking and add a new capability, but I would be too
lazy to do that for the very little gain to give users only access to
ping/traceroute without giving access to the whole NET_RAW world.

We absolutely cannot abandon the interface as it already is in use by
android, as Lorenzo stated. Will android switch to file based capabilities
in some time? Is that possible?

I think I am in favour of the Kconfig option that it can be disabled or
compiled as a module (maybe only visible with CONFIG_EMBEDDED) and push that
on the deprecated list as file based capabilities made this socket type
unnecessary.

Any thoughts?

Bye,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ