Re: [Vserver] ICMP and CAP_NET_RAW in 1.2.10

Thu, 17 Mar 2005 06:50:16 -0800 

Well you could do as normal user all the things ICMP is good for.
See http://www.faqs.org/docs/iptables/icmptypes.html for all types.

This could be Source redirection. However that should be disabled on most systems for security reasons.

Thats IMHO the only thing evil users good do. All other ICMP types make no sense, because the user is not
able to sniff the packets and therefore can not "react" to incoming packets with custom ICMP replys.

I would recommend to use this as default behavior. For high security you could disable this feature and for low
security you could enable the CAP_NET_RAW mode.


You also have to consider that normally users on vservers are trusted so its not really a multi-user environment.

Best regards
Ulrich


Herbert Poetzl wrote:

On Wed, Mar 16, 2005 at 06:58:23PM +0100, Ulrich Weber wrote:


Hi all,

because my vserver provider was unable to disable CAP_NET_RAW (all other customers want to use ping) I did some reseach on the topic.
Attached please find a workaround patch to use ping without SUID (I got the inspiration from VXC_RAW_ICMP in vServer 1.9.4).

I have no vserver installed, so I tested the attached patch in an user-mode-linux instance where it worked.
Hope it works for vserver with CAP_NET_RAW disabled too.

Is it possible to add this patch to the next stable release ?



well, basically I have no problem with that, but you have
to convince me that it doesn't introduce a security hole
itself, and I'd prefer to make it at least a compile time
option, so that folks concerned about security can disable
it (but that's trivially done)

best,
Herbert



Best regards
Ulrich





diff -Nru linux-2.4.27.org/net/ipv4/af_inet.c linux-2.4.27/net/ipv4/af_inet.c
--- af_inet.c   2005-03-16 18:39:54.000000000 +0100
+++ af_inet.c   2005-03-16 18:39:43.000000000 +0100
@@ -352,7 +352,7 @@

if (!answer)
goto free_and_badtype;
- if (answer->capability > 0 && !capable(answer->capability))
+ if ((protocol != IPPROTO_ICMP) && (answer->capability > 0) &&
!capable(answer->capability))
goto free_and_badperm;
if (!protocol)
goto free_and_noproto;





_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver






_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver

Reply via email to