On Thu, Mar 17, 2005 at 03:49:53PM +0100, Ulrich Weber wrote: > Well you could do as normal user all the things ICMP is good for. > See http://www.faqs.org/docs/iptables/icmptypes.html for all types. > > This could be Source redirection. However that should be disabled on > most systems for security reasons. > > Thats IMHO the only thing evil users good do. All other ICMP types make > no sense, because the user is not > able to sniff the packets and therefore can not "react" to incoming > packets with custom ICMP replys.
what about various DoS and DDoS things like sending host unreachable for the 'neighbour' vserver's ip ... > I would recommend to use this as default behavior. For high security you > could disable this feature and for low > security you could enable the CAP_NET_RAW mode. carefully, CAP_NET_RAW gives you the ability to sniff all kinds of traffic too ... > You also have to consider that normally users on vservers are trusted so > its not really a multi-user environment. hmm, they are? ;) best, Herbert > Best regards > Ulrich > > > Herbert Poetzl wrote: > > >On Wed, Mar 16, 2005 at 06:58:23PM +0100, Ulrich Weber wrote: > > > > > >>Hi all, > >> > >>because my vserver provider was unable to disable CAP_NET_RAW (all other > >>customers want to use ping) I did some reseach on the topic. > >>Attached please find a workaround patch to use ping without SUID (I got > >>the inspiration from VXC_RAW_ICMP in vServer 1.9.4). > >> > >>I have no vserver installed, so I tested the attached patch in an > >>user-mode-linux instance where it worked. > >>Hope it works for vserver with CAP_NET_RAW disabled too. > >> > >>Is it possible to add this patch to the next stable release ? > >> > >> > > > >well, basically I have no problem with that, but you have > >to convince me that it doesn't introduce a security hole > >itself, and I'd prefer to make it at least a compile time > >option, so that folks concerned about security can disable > >it (but that's trivially done) > > > >best, > >Herbert > > > > > > > >>Best regards > >>Ulrich > >> > >> > > > > > > > >>diff -Nru linux-2.4.27.org/net/ipv4/af_inet.c > >>linux-2.4.27/net/ipv4/af_inet.c > >>--- af_inet.c 2005-03-16 18:39:54.000000000 +0100 > >>+++ af_inet.c 2005-03-16 18:39:43.000000000 +0100 > >>@@ -352,7 +352,7 @@ > >> > >> if (!answer) > >> goto free_and_badtype; > >>- if (answer->capability > 0 && !capable(answer->capability)) > >>+ if ((protocol != IPPROTO_ICMP) && (answer->capability > 0) && > >>!capable(answer->capability)) > >> goto free_and_badperm; > >> if (!protocol) > >> goto free_and_noproto; > >> > >> > > > > > > > >>_______________________________________________ > >>Vserver mailing list > >>[email protected] > >>http://list.linux-vserver.org/mailman/listinfo/vserver > >> > >> > > > > > > > > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
