lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 25 Apr 2014 19:37:02 +0900
From:	Lorenzo Colitti <lorenzo@...gle.com>
To:	Ben Hutchings <ben@...adent.org.uk>,
	Florian Westphal <fw@...len.de>,
	netdev <netdev@...r.kernel.org>,
	Vasiliy Kulikov <segoon@...nwall.com>,
	Lorenzo Colitti <lorenzo@...gle.com>
Subject: Re: [RFC][PATCH] IP: Make ping sockets optional

On Fri, Apr 25, 2014 at 1:37 AM, Hannes Frederic Sowa
<hannes@...essinduktion.org> wrote:
> The origins of this interface are in the openwall project. I assume
> embedded devices were not that high up on their agenda.

One of the original discussion threads I posted above has a link to a
lengthy discussion on why the original designers of this code thought
capabilities were not a good idea from a security standpoint.

> We absolutely cannot abandon the interface as it already is in use by
> android, as Lorenzo stated.

Well, the fact that it's in use by Android doesn't mean it can't be
made optional - Android can just turn the feature on in their kernels.
It would be unfortunate if it were to be removed entirely.

> Will android switch to file based capabilities
> in some time? Is that possible?

I think Android does support file capabilities. But this socket type
is not just for the ping binary. The fact that this socket type is
available to any binary allows any application developer to write an
app that can send ping packets. That seems like a useful capability
for a diagnostic app.

On the other hand, it seems to me that giving that same diagnostic app
CAP_NET_RAW would be unacceptable from a security point of view since
that app would now be able to sniff all traffic on the system, with
obvious privacy implications. There are also the usual security
concerns such as what if an exploit is discovered in the ping binary,
etc. etc.

What's the problem with this code? Is it just the 10KB in size?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists