Re: [RFC] Allowing non-root to get iptables info?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 27 Feb 2008 07:43:20 -0800
Phil Oester <kernel@xxxxxxxxxxxx> wrote:

> On Wed, Feb 27, 2008 at 04:34:38PM +0100, Patrick McHardy wrote:
> > Phil Oester wrote:
> > >I really don't think this is a good idea.  We allow non-root users
> > >on some of our firewalls, and I don't want them to see the ruleset.
> > >Also, it helps miscreants to better pick their targets, if they
> > >know in advance which ports are opened.
> > 
> > 
> > They could also find out about this simply by probing ports ...
> 
> And assuming a /16 with 65K ports, that would take a bit longer than
> the few seconds it takes to dump the ruleset.  Why make it easier
> than it has to be?
> 
> > >If making this change, *please* consider making it configurable,
> > >with the default being NO access.
> > 
> > 
> > No, in that case I prefer to keep it restricted to root
> > unconditionally. Using sudo to get the rules is no big
> > deal I guess.
> 

Well in our case of router administration the risk of allowing an operator
sudo access to iptables is higher than the risk of exposing ports to wankers.
This is a special purpose distribution, so we will allow it, how about
a config option or sysctl?
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux