lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20200316.021314.2124785837023809696.davem@davemloft.net>
Date:   Mon, 16 Mar 2020 02:13:14 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     dsahern@...il.com
Cc:     vincent@...nat.ch, netdev@...r.kernel.org, kuba@...nel.org,
        edumazet@...gle.com, kafai@...com
Subject: Re: [RFC PATCH net-next v1] net: core: enable SO_BINDTODEVICE for
 non-root users

From: David Ahern <dsahern@...il.com>
Date: Sun, 15 Mar 2020 20:36:10 -0600

> As a reminder, there are currently 3 APIs to specify a preferred device
> association which influences route lookups:
> 
> 1. SO_BINDTODEVICE - sets sk_bound_dev_if and is the strongest binding
> (ie., can not be overridden),
> 
> 2. IP_UNICAST_IF / IPV6_UNICAST_IF - sets uc_index / ucast_oif and is
> sticky for a socket, and
> 
> 3. IP_PKTINFO / IPV6_PKTINFO - which is per message.
> 
> The first, SO_BINDTODEVICE, requires root privileges. The last 2 do not
> require root privileges but only apply to raw and UDP sockets making TCP
> the outlier.
> 
> Further, a downside to the last 2 is that they work for sendmsg only;
> there is no way to definitively match a response to the sending socket.
> The key point is that UDP and raw have multiple non-root APIs to dictate
> a preferred device for sending messages.
> 
> Vincent's patch simplifies things quite a bit - allowing consistency
> across the protocols and directions - but without overriding any
> administrator settings (e.g., inherited bindings via ebpf programs).

Understood, but I still wonder if this mis-match of privilege
requirements was by design or unintentional.

Allowing arbitrary users to specify SO_BINDTODEVICE has broad and far
reaching consequences, so at a minimum if we are going to remove the
restriction we should at least discuss the implications.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ