Re: [RFC] Allowing non-root to get iptables info?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



mouss wrote:
Patrick McHardy wrote:
[Adding Stephen back to CC list]

Jozsef Kadlecsik wrote:
I'd be more happy with a module parameter and/or proc switch by which this new feature could be enabled. So backward compatibility could be kept and the users could list the rules only if the system is explicitly configured to allow it.


I don't think compatibility is a problem here, lifting this
restriction can't possibly break anything in userspace.

The question is more whether this causes privacy or other issues,
if yes, we shouldn't do it, otherwise there's no harm in doing
in unconditionally. I personally don't see any problems with
this change.


on a server where are allowed to run commands, but we don't want them to
know more than they should, I am not sure one wants them to see the
rules. call it security by obscurity if you like, but some people may
want this. I guess this is what Jozef meant by compatibility (is it
"least surprise"?).


Well, yes, the main question is whether this causes privacy issues.
"Security by obscurity" is a pretty poor argument, does anyone have
a well founded reason for not allowing users to see the rules and
counters?


-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux