Re: [RFC] Allowing non-root to get iptables info?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Patrick McHardy wrote:
Phil Oester wrote:
On Wed, Feb 27, 2008 at 03:51:20PM +0100, Patrick McHardy wrote:
Well, yes, the main question is whether this causes privacy issues.
"Security by obscurity" is a pretty poor argument, does anyone have
a well founded reason for not allowing users to see the rules and
counters?

I really don't think this is a good idea.  We allow non-root users
on some of our firewalls, and I don't want them to see the ruleset.
Also, it helps miscreants to better pick their targets, if they
know in advance which ports are opened.


They could also find out about this simply by probing ports ...

they could, but their IP may get blocked before that. if they know the rules, they will avoid being trapped. of course, the attack requires user collaboration, but why make it easier?

many people use "reactive" rules that blacklist an IP after N bad requests. if an attacker knows how many requests during what period of time he can do without being blacklisted, his task is easier. sure, a botnet owner doesn't care as he can use a distributed attack, but that's no reason to help silly kids.

or consider a case when a set of ports is forwarded to a set of hosts. why would a user need to know? it's none of his business. I would understand giving users information they need to do their job so that they don't bother admins or spend too much time in useless debugging. but this is different than giving access to _all_ informations to _all_ users. I said "security by obscurity", but it may also be considered as "minimum privilege" (or one tool in a "defense in depth" strategy)


If making this change, *please* consider making it configurable,
with the default being NO access.


No, in that case I prefer to keep it restricted to root
unconditionally. Using sudo to get the rules is no big
deal I guess.


I agree. if it can be implemented in "user space", there is no reason to "pollute" netfilter. one can even think of a program that gives specific infos based on user/group rules.


-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux