On Wed, Feb 27, 2008 at 12:52:52PM +0100, Patrick McHardy wrote: > Stephen Hemminger wrote: > >Is there any strong reason why checking the status of iptables is > >restricted? > > > >Vyatta makes a distribution for routers. In our case, we use a non-root > >account > >for operator commands, and some of the commands are about querying > >iptables status. > >It seems to be less risky to just fix the kernel to allow non-root user to > >query rules > >than the current script that uses sudo. Another alternative would be > >building a special > >restricted command that could be setuid root, but just changing the kernel > >seems easiest. > I always thought of it as a privacy thing, similar to restricting > /proc/net/nf_conntrack. But since iptables rules usually don't > allow you to determine active connections just from the packet > counters that might be overkill. So I don't see any real harm > in allowing users to list the ruleset. At least for iptables, reading of iptables status can be done by making iptables-save setuid-root. So I think no kernel patching is necessary. -- Michal Miroslaw - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
