Warren Kumari <war...@kumari.net> wrote: >> The fewer privilege escalation points the better, I suppose. From that >> perspective a UDP socket may be less concerning, but perhaps not by much. >> NetworkMonitor has the appropriate privileges to do the needful, > regardless.
> I'll start off by admitting that this is a cheap shot, but: > https://access.redhat.com/security/vulnerabilities/3442151 (yeah, so that's as much about using shell for things it was never designed to do.) > I'm uncomfortable with the "let's have all machines which might possibly > connect to a network with a captive portal have a daemon listening on a > well-known UDP port" idea. Yes, it is very similar to "let's have all > machines which might possibly connect to a network with a captive portal > have a thingie watching for special ICMP messages", but somehow it feels > very different. Yes, I understand the irony of building networks based on > what makes Warren uncomfortable, but... I agree, it's different. ICMP is generally handled centrally by the kernel, and it isn't handed off to random shell scripts. The kernel does some validation of the incoming packet. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
Description: PGP signature
_______________________________________________ Captive-portals mailing list Captivefirstname.lastname@example.org https://www.ietf.org/mailman/listinfo/captive-portals