On Thu, Aug 28, 2008 at 11:00:07AM -0700, Tony Nguyen wrote: > Renee Danson wrote: > > On Wed, Aug 27, 2008 at 05:02:14PM -0700, Tony Nguyen wrote: > >>> > >> I'm sure folks will correct me. It's essentially network/ipfilter that > >> is running this provided ipf_method, a service delivered script. A > >> service developer/vendor who delivers a flawed script can do the same in > >> the service's start or refresh method. > > > > But the service's start or refresh method wouldn't have the ability to > > load rules into ipfilter, which is what your framework will do on its > > behalf. > > Yes, they can. These methods can simply create some rules and request > ipfilter to make them active, something like > > echo "rules" | ipf -f -
But you have to be root to run ipf. My concern was that anyone could write a script that produced rules, create the firewall_config/ipf_method property for a given service, and therefore get your framework to run the ipf command-- as root--on its behalf. I think Dave has asserted that you need greater authorization (such as root, or an authorization explicitly granted by root) than was obvious from the text to create the property; if so, that should address my concern. But that's part of the continuing discussion. -renee
