On Tue, 28 Dec 1999, Dirk Koopman wrote:
> Please would you answer the question? Why does it _actually_ need root
> privileges for ax25 protocol traffic? We are talking here about something
> which, whatever you do, is insecure. Anybody can program a TNC to be any
> callsign. Anybody can monitor anything using a TNC. Why does linux have to be
> different?
Well, I guess Tim said it. I might add that my understanding of the unix
filosophy is that a normal user should not be allowed to do whatever he
pleases, at least not without a permission from the super user. Remember
that with PF_PACKET socket you can construct whatever packets you want,
even completely malformated. Packets that could possibly crash other hosts
on the network. Linux is a multiuser OS and everything is thought from
that point of view. There is always the malicious user.
That is probably the reason why a PF_PACKET socket is not allowed for a
non-root user. Leszek talked something about a suser() call in af_ax25.c
but frankly I don't know what he is talking about. PF_PACKET is handled in
linux/net/packet/af_packet.c:
if (!capable(CAP_NET_RAW))
return -EPERM;
and that is for all protocols, not AX.25 alone. Tampering with that
is definitely a bug!
(BTW. that CAP stuff might be something worth investigating, I'm not quite
sure how it works.)
Note that we are talking about PF_PACKET socket here, not SOCK_RAW. At
least I am (and that is what is used in FBB for unprotos). SOCK_RAW
packets are actually allowed for normal users in Linux AX.25 (unlike IP).
> > Generating UI frames as non-root is easy, just use a datagram socket.
> > Receiving should be just as easy but I haven't tested. Of course you are
> > then restricted to your own source call.
>
> Which is exactly the point, it isn't.
For the record: I was able to create a program capable of sending UI
frames to anyone and receiving UI frames from anyone. As non-root, and of
course only with my own call.
> I want to implement a UI based DX
> Cluster protocol so that, finally, we can move on a bit, reduce some
> bandwidth and maybe even achieve some experimentation. In order to do that I
> need to be able to send UI frames from my callsign to any address, listen for
> UI frames from any address, to any address and process the ones I am
> interested in (only a few of which will be addressed to me) and maybe (for
> experimental purposes) relay some frames from one interface to another.
Explain me why you need to receive UI frames addressed to any address? FBB
uses a UI based message system and copes well with only UI frames
addressed to the box call.
If you _really_ need that then use a SOCK_DGRAM socket and come up with a
clever system to extend the uid->callsign association system so you are
able to bind to those addresses you need. If that were controlled by root
then I don't see a problem.
Or then maybe implement some sort of AX.25 level broadcast/multicast
method in the kernel. Or what ever, but do it in a way that is compatible
with the unix way of thinking and the rest of the kernel. Not with a quick
hack in microsoft style.
> A good way to start this off would be to use another pid. However, I can't see
> a way to use a specific pid on my UI frame without using a raw socket; there
> doesn't seem to be a mechanism to handle pid specific traffic. There is no
> concept of setting SO_BROADCAST on the socket. In fact there is no way AFAIK
> to set a pid in any of the sockaddr structures available. So even 'normal'
> things that you can do for IP, as a user, in this area are impossible.
You can get/set the pid with SOCK_RAW at least. (Probably with SOCK_DGRAM
also, I'm not sure if there really is a difference. I need to dig deeper
into the code... :) And as I said, SOCK_RAW does not require root
privileges.
And if there is a valid feature missing in the kernel, that is probably
because no-one has ever needed that. This is a community effort. You
implement it.
> potential security hole that needs watching), the main cluster process does
> _NOT_ (and will _NOT_) run as root.
I have already said that even if you use a PF_PACKET socket, there is no
need to keep to root privileges after opening the socket. Just drop them
and continue as a normal user.
> I am just in the process of trying to see how this might be achieved by
> studying the user_process stuff, but should you have any code available
> (whether run by root or not) that can short circuit my learning the hard way,
> it would be appreciated.
Umm. I have to admit I don't know what you are talking about.
--
Tomi Manninen Internet: [EMAIL PROTECTED]
OH2BNS AX.25: [EMAIL PROTECTED]
KP20ME04 Amprnet: [EMAIL PROTECTED]
