Re: Any patch for ICMP in a jail?
"Jacques A. Vidrine" wrote: > On Mon, Aug 04, 2003 at 10:53:03AM -0700, Terry Lambert wrote: > > You would either lose or overexpose root-restricted functionality, > > such as flood-ping. > > Eh? Why? pingd can know your credentials. Through the credential passing? I thought that wasn't reliable for this type of thing. Specifically, the jail would be in an untrusted protection domain; if you just accepted the credential blindly, then anyone could be root in the jail, and you could not trust it. If you didn't accept it blindly, then regular root loses existing functionality. I'm pretty sure that, at least the last time I looke at it, the credential passing code didn't pass information about jail status. Yeah, it's doable, but it's not as small amount of work as this discussion so far has implied. Mostly, certain capabilities are going to end up lost. BTW: the main reason for a pingd when dealing with jails isn't about increased security, it's about routing the responses to the appropriate sender. The way Novell dealt with this in IPX was to define an internal network interface that was routed from other internal network interfaces: in effect, they added an internal router hop. -- Terry ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Any patch for ICMP in a jail?
On Tue, Aug 05, 2003 at 03:55:55AM -0700, Terry Lambert wrote: > Through the credential passing? I thought that wasn't reliable > for this type of thing. Specifically, the jail would be in an > untrusted protection domain; if you just accepted the credential > blindly, then anyone could be root in the jail, and you could not > trust it. > > If you didn't accept it blindly, then regular root loses existing > functionality. > > I'm pretty sure that, at least the last time I looke at it, the > credential passing code didn't pass information about jail status. [deletia] Sorry, you are right. Despite the subject line, I wasn't thinking of jails at this point, but just of removing the setuid bit from ping. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Any patch for ICMP in a jail?
On Mon, Aug 04, 2003 at 10:53:03AM -0700, Terry Lambert wrote: > You would either lose or overexpose root-restricted functionality, > such as flood-ping. Eh? Why? pingd can know your credentials. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Any patch for ICMP in a jail?
Brad Knowles wrote: > At 8:35 AM -0400 2003/08/04, Robert Watson wrote: > > The best short-term suggestion would be to write a > > privilege-separated ping tool -- a pingd running outside the jail, > > providing UNIX domain sockets in each jail that needs the ability to ping; > > ping then becomes a client that RPC's to pingd. > > It strikes me that this is probably a better solution to the > problem regardless of whether or not you are in a jail. By carefully > controlling the RPC interface, you should be able to reduce the > security exposure, simplify pingd, and bring more of the complex > logic into the unprivileged ping client. > > This would also allow you to apply the same solution for jail vs. > non-jail environments. > > Is this a future enhancement that we can realistically look forward to? You would either lose or overexpose root-restricted functionality, such as flood-ping. -- Terry ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Any patch for ICMP in a jail?
At 8:35 AM -0400 2003/08/04, Robert Watson wrote: The best short-term suggestion would be to write a privilege-separated ping tool -- a pingd running outside the jail, providing UNIX domain sockets in each jail that needs the ability to ping; ping then becomes a client that RPC's to pingd. It strikes me that this is probably a better solution to the problem regardless of whether or not you are in a jail. By carefully controlling the RPC interface, you should be able to reduce the security exposure, simplify pingd, and bring more of the complex logic into the unprivileged ping client. This would also allow you to apply the same solution for jail vs. non-jail environments. Is this a future enhancement that we can realistically look forward to? -- Brad Knowles, <[EMAIL PROTECTED]> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E-(---) W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Any patch for ICMP in a jail?
On Mon, 4 Aug 2003, Rus Foster wrote: > Is there a patch that will allow ping from inside a jail on 5.x? Google > didn't show anything? The problem is that, to generate pings, you have to have access to a raw socket. And unfortuantely, raw sockets imply access to a lot more than just the ability to send/receive ICMP: a number of management components in the IP stack assume that if you have a raw socket, you're also allowed to configure those components. Take a look at rip_ctloutput() in raw_ip.c for some examples. We have some local in-progress changes to modify this as part of our capabilities work, but there's no timeline for integrating it. The best short-term suggestion would be to write a privilege-separated ping tool -- a pingd running outside the jail, providing UNIX domain sockets in each jail that needs the ability to ping; ping then becomes a client that RPC's to pingd. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"