From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 17 Mar 2005 - 17:40:18 GMT
On Thu, Mar 17, 2005 at 03:49:53PM +0100, Ulrich Weber wrote:
> Well you could do as normal user all the things ICMP is good for.
> See http://www.faqs.org/docs/iptables/icmptypes.html for all types.
>
> This could be Source redirection. However that should be disabled on
> most systems for security reasons.
>
> Thats IMHO the only thing evil users good do. All other ICMP types make
> no sense, because the user is not
> able to sniff the packets and therefore can not "react" to incoming
> packets with custom ICMP replys.
what about various DoS and DDoS things like sending
host unreachable for the 'neighbour' vserver's ip ...
> I would recommend to use this as default behavior. For high security you
> could disable this feature and for low
> security you could enable the CAP_NET_RAW mode.
carefully, CAP_NET_RAW gives you the ability to sniff
all kinds of traffic too ...
> You also have to consider that normally users on vservers are trusted so
> its not really a multi-user environment.
hmm, they are? ;)
best,
Herbert
> Best regards
> Ulrich
>
>
> Herbert Poetzl wrote:
>
> >On Wed, Mar 16, 2005 at 06:58:23PM +0100, Ulrich Weber wrote:
> >
> >
> >>Hi all,
> >>
> >>because my vserver provider was unable to disable CAP_NET_RAW (all other
> >>customers want to use ping) I did some reseach on the topic.
> >>Attached please find a workaround patch to use ping without SUID (I got
> >>the inspiration from VXC_RAW_ICMP in vServer 1.9.4).
> >>
> >>I have no vserver installed, so I tested the attached patch in an
> >>user-mode-linux instance where it worked.
> >>Hope it works for vserver with CAP_NET_RAW disabled too.
> >>
> >>Is it possible to add this patch to the next stable release ?
> >>
> >>
> >
> >well, basically I have no problem with that, but you have
> >to convince me that it doesn't introduce a security hole
> >itself, and I'd prefer to make it at least a compile time
> >option, so that folks concerned about security can disable
> >it (but that's trivially done)
> >
> >best,
> >Herbert
> >
> >
> >
> >>Best regards
> >>Ulrich
> >>
> >>
> >
> >
> >
> >>diff -Nru linux-2.4.27.org/net/ipv4/af_inet.c
> >>linux-2.4.27/net/ipv4/af_inet.c
> >>--- af_inet.c 2005-03-16 18:39:54.000000000 +0100
> >>+++ af_inet.c 2005-03-16 18:39:43.000000000 +0100
> >>@@ -352,7 +352,7 @@
> >>
> >> if (!answer)
> >> goto free_and_badtype;
> >>- if (answer->capability > 0 && !capable(answer->capability))
> >>+ if ((protocol != IPPROTO_ICMP) && (answer->capability > 0) &&
> >>!capable(answer->capability))
> >> goto free_and_badperm;
> >> if (!protocol)
> >> goto free_and_noproto;
> >>
> >>
> >
> >
> >
> >>_______________________________________________
> >>Vserver mailing list
> >>Vserver_at_list.linux-vserver.org
> >>http://list.linux-vserver.org/mailman/listinfo/vserver
> >>
> >>
> >
> >
> >
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver