From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 17 Mar 2005 - 17:40:18 GMT
On Thu, Mar 17, 2005 at 03:49:53PM +0100, Ulrich Weber wrote:
> Well you could do as normal user all the things ICMP is good for.
> See http://www.faqs.org/docs/iptables/icmptypes.html for all types.
> This could be Source redirection. However that should be disabled on
> most systems for security reasons.
> Thats IMHO the only thing evil users good do. All other ICMP types make
> no sense, because the user is not
> able to sniff the packets and therefore can not "react" to incoming
> packets with custom ICMP replys.
what about various DoS and DDoS things like sending
host unreachable for the 'neighbour' vserver's ip ...
> I would recommend to use this as default behavior. For high security you
> could disable this feature and for low
> security you could enable the CAP_NET_RAW mode.
carefully, CAP_NET_RAW gives you the ability to sniff
all kinds of traffic too ...
> You also have to consider that normally users on vservers are trusted so
> its not really a multi-user environment.
hmm, they are? ;)
> Best regards
> Herbert Poetzl wrote:
> >On Wed, Mar 16, 2005 at 06:58:23PM +0100, Ulrich Weber wrote:
> >>Hi all,
> >>because my vserver provider was unable to disable CAP_NET_RAW (all other
> >>customers want to use ping) I did some reseach on the topic.
> >>Attached please find a workaround patch to use ping without SUID (I got
> >>the inspiration from VXC_RAW_ICMP in vServer 1.9.4).
> >>I have no vserver installed, so I tested the attached patch in an
> >>user-mode-linux instance where it worked.
> >>Hope it works for vserver with CAP_NET_RAW disabled too.
> >>Is it possible to add this patch to the next stable release ?
> >well, basically I have no problem with that, but you have
> >to convince me that it doesn't introduce a security hole
> >itself, and I'd prefer to make it at least a compile time
> >option, so that folks concerned about security can disable
> >it (but that's trivially done)
> >>Best regards
> >>diff -Nru linux-2.4.27.org/net/ipv4/af_inet.c
> >>--- af_inet.c 2005-03-16 18:39:54.000000000 +0100
> >>+++ af_inet.c 2005-03-16 18:39:43.000000000 +0100
> >>@@ -352,7 +352,7 @@
> >> if (!answer)
> >> goto free_and_badtype;
> >>- if (answer->capability > 0 && !capable(answer->capability))
> >>+ if ((protocol != IPPROTO_ICMP) && (answer->capability > 0) &&
> >> goto free_and_badperm;
> >> if (!protocol)
> >> goto free_and_noproto;
> >>Vserver mailing list
> Vserver mailing list
Vserver mailing list