Re: [RFC] Allowing non-root to get iptables info?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stephen Hemminger wrote:
Is there any strong reason why checking the status of iptables is restricted?

Vyatta makes a distribution for routers. In our case, we use a non-root account
for operator commands, and some of the commands are about querying iptables status.
It seems to be less risky to just fix the kernel to allow non-root user to query rules
than the current script that uses sudo. Another alternative would be building a special
restricted command that could be setuid root, but just changing the kernel seems easiest.

I always thought of it as a privacy thing, similar to restricting
/proc/net/nf_conntrack. But since iptables rules usually don't
allow you to determine active connections just from the packet
counters that might be overkill. So I don't see any real harm
in allowing users to list the ruleset.

I'll queue this patch for 2.6.26 if nobody has any objections.


-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux