From: Sam Vilain (sam_at_vilain.net)
Date: Wed 14 Nov 2001 - 11:16:50 GMT
On Wed, 14 Nov 2001 01:00:23 -0500
Jacques Gelinas <jack_at_solucorp.qc.ca> wrote:
> > You could allow CAP_NET_RAW through, just watch out for Steve Gibson.
> (Who is Steve Gibson)
Steve Gibson is a security "expert" screaming impending doom will come to
the world if raw sockets are allowed to ship with Windows XP. He reckons
it's every DDOS'ers dream. Check out this link:
>>>>> tlmpmail: DMCA Security alert
The below text is not available to US viewers due to the restrictions
of the DMCA. The material contains high level of material that could
cause violations of American national security - British humour
>>>>> tlmpmail: sensitive data begins:
http://www.theregister.co.uk/content/4/19925.html
>>>>> tlmpmail: sensitive data ends:
> I think I missed that thread. I was aware that CAP_NET_RAW was causing
> the ping problem. Now, do you think that a different capability should be assign
> to the ping operation, or some "solution" should be put in place to provide
> a safe ping solution,
ping calls:
socket(PF_INET, SOCK_RAW, IPPROTO_ICMP)
I don't know how you could wrap a capability around that, without still
allowing arbitrary ICMP traffic out.
Damnit, we need add-capability-on-execute binaries, and there just aren't
enough bits in ext2_inode.i_flags
But wait! I see ext2_inode.linux1.l_i_reserved1, which is __u32 (the same
as kernel_cap_t). This looks OK, except that there are only 2 capability
bits unallocated in kernel_cap_t. I see that someone has had the
foresight to use a 64-bit type for the user-space structure, and there's
always ext2_inode.linux2.l_i_reserved2 (32 bits) or
ext2_inode.linux2.i_pad, (16 bits) to overflow new capabilities to on
disk.
> Allowing CAP_NET_RAW is I guess a bad thing.
Could be problematic. Even with firewalling, someone could spoof packets
from one host to another. Unless you could have per-vserver iptables
rules.
On the other hand, intra-server raw sockets is not a problem for ICMP. An
iptables rule will stop spoofed ICMP packets from getting out (and believe
me, when you've got as much bandwidth as we have you don't want people
spoofing packets, out of consideration for the rest of the internet
community), but won't allow intra-host server attacks.
I think a capability for ICMP would be a good idea.
On a side note, I think we should set up a wiki for this project's
documentation.
Sam.