Please don't trim CC lists.
Micha³ Miros³aw wrote:
On Wed, Feb 27, 2008 at 12:52:52PM +0100, Patrick McHardy wrote:
Stephen Hemminger wrote:
Is there any strong reason why checking the status of iptables is
restricted?
Vyatta makes a distribution for routers. In our case, we use a non-root
account
for operator commands, and some of the commands are about querying
iptables status.
It seems to be less risky to just fix the kernel to allow non-root user to
query rules
than the current script that uses sudo. Another alternative would be
building a special
restricted command that could be setuid root, but just changing the kernel
seems easiest.
I always thought of it as a privacy thing, similar to restricting
/proc/net/nf_conntrack. But since iptables rules usually don't
allow you to determine active connections just from the packet
counters that might be overkill. So I don't see any real harm
in allowing users to list the ruleset.
At least for iptables, reading of iptables status can be done by making
iptables-save setuid-root. So I think no kernel patching is necessary.
Thats true, but I wouldn't do that since iptables is not the
most trustworthy code.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html