Re: [RFC] Allowing non-root to get iptables info?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Phil Oester wrote:
On Wed, Feb 27, 2008 at 03:51:20PM +0100, Patrick McHardy wrote:
Well, yes, the main question is whether this causes privacy issues.
"Security by obscurity" is a pretty poor argument, does anyone have
a well founded reason for not allowing users to see the rules and
counters?

I really don't think this is a good idea.  We allow non-root users
on some of our firewalls, and I don't want them to see the ruleset.
Also, it helps miscreants to better pick their targets, if they
know in advance which ports are opened.


They could also find out about this simply by probing ports ...

If making this change, *please* consider making it configurable,
with the default being NO access.


No, in that case I prefer to keep it restricted to root
unconditionally. Using sudo to get the rules is no big
deal I guess.

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux