Re: [RFC] Allowing non-root to get iptables info?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please don't trim CC lists.

Micha³ Miros³aw wrote:
On Wed, Feb 27, 2008 at 12:52:52PM +0100, Patrick McHardy wrote:
Stephen Hemminger wrote:
Is there any strong reason why checking the status of iptables is restricted?

Vyatta makes a distribution for routers. In our case, we use a non-root account for operator commands, and some of the commands are about querying iptables status. It seems to be less risky to just fix the kernel to allow non-root user to query rules than the current script that uses sudo. Another alternative would be building a special restricted command that could be setuid root, but just changing the kernel seems easiest.
I always thought of it as a privacy thing, similar to restricting
/proc/net/nf_conntrack. But since iptables rules usually don't
allow you to determine active connections just from the packet
counters that might be overkill. So I don't see any real harm
in allowing users to list the ruleset.

At least for iptables, reading of iptables status can be done by making
iptables-save setuid-root. So I think no kernel patching is necessary.


Thats true, but I wouldn't do that since iptables is not the
most trustworthy code.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux