Re: [Vserver] ICMP and CAP_NET_RAW in 1.2.10

[Ulrich Weber]

im quite busy right now, so I forgot to write back sooner :)
I looked a little bit around, seems there is no nice way to secure the 
raw icmp socket.
The only way would be to check the source IP in the inet_sendmsg 
function ? But I think that would
cost to much performance.

So could you implement it as an alternative to CAP_NET_RAW ?
At least this would be better for people who need ping support than 
CAP_NET_RAW :)

Greets
Ulrich
Herbert Poetzl wrote:
On Thu, Mar 17, 2005 at 10:42:17PM +0100, Ulrich Weber wrote:
 

Herbert Poetzl wrote:
   

On Thu, Mar 17, 2005 at 03:49:53PM +0100, Ulrich Weber wrote:
     

Well you could do as normal user all the things ICMP is good for.
See http://www.faqs.org/docs/iptables/icmptypes.html for all types.
This could be Source redirection. However that should be disabled on 
most systems for security reasons.

Thats IMHO the only thing evil users good do. All other ICMP types make 
no sense, because the user is not
able to sniff the packets and therefore can not "react" to incoming 
packets with custom ICMP replys.
       

what about various DoS and DDoS things like sending
host unreachable for the 'neighbour' vserver's ip ...
     

Is it possible to send packets with other IPs than the of the origin 
vserver?
Should/Can this not be disabled by the vserver patch generally ?
   

yes, it is disabled for ip protocols, but raw sockets
(per definition) do not use any protocol ... and icmp
packets to not use ip addresses ;)
 

I would recommend to use this as default behavior.
For high security you
could disable this feature and for low
security you could enable the CAP_NET_RAW mode.
       

carefully, CAP_NET_RAW gives you the ability to sniff
all kinds of traffic too ...
     

Yeah thats exactly the problem wit my vserver provider. 
They enabled this to use ping on all vserver because 
more customers cared about ping than about sniffing the traffic...
   

well, just means that the customers knowledge about
those issues is small and the provider doesn't want
to bother with security ;)
 

You also have to consider that normally users on vservers 
are trusted so its not really a multi-user environment.
       

hmm, they are? ;)
     

Yeah, who wants this should rent a dedicated server ;)
   

best,
Herbert
 

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
   

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver