| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 08 May 2014 00:18:57 +0200 From: "Jorge Boncompte [DTI2]" <jorge@...2.net> To: "Eric W. Biederman" <ebiederm@...ssion.com>, David Miller <davem@...emloft.net> CC: vgoyal@...hat.com, ssorce@...hat.com, security@...nel.org, luto@...capital.net, netdev@...r.kernel.org, serge@...lyn.com Subject: Re: [PATCH 5/5] net: Use netlink_ns_capable to verify the permisions of netlink messages El 23/04/2014 23:29, Eric W. Biederman escribió: > > It is possible by passing a netlink socket to a more privileged > executable and then to fool that executable into writing to the > socket data that happens to be valid netlink message to do something > that privileged executable did not intend to do. > > To keep this from happening replace bare capable and ns_capable calls > with netlink_capable, netlink_net_calls and netlink_ns_capable calls. > Which act the same as the previous calls except they verify that the > opener of the socket had the desired permissions as well. > Hi, after this patch, zebra daemon of quagga in Debian testing fails to send routes to kernel with an -EPERM error. Reverting this patch and commit a64d90fd96 (netfilter: Fix warning in nfnetlink_receive().) fixes it for me. I haven't got time to do a proper analisys and could be that zebra it's doing something silly but this patch seems to subtly change some semantics. -- ============================================================== Jorge Boncompte - Ingenieria y Gestion de RED DTI2 - Desarrollo de la Tecnologia de las Comunicaciones -------------------------------------------------------------- C/ Abogado Enriquez Barrios, 5 14004 CORDOBA (SPAIN) Tlf: +34 957 761395 / FAX: +34 957 450380 ============================================================== - There is only so much duct tape you can put on something before it just becomes a giant ball of duct tape. ============================================================== -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists