Hi Phil,
thanks for the review.
Phil Sutter <phil@xxxxxx> writes:
> Hi,
>
> On Wed, Jul 15, 2020 at 08:51:52AM +0200, Giuseppe Scrivano wrote:
>> allow users to override at runtime the lock file to use through the
>> XTABLES_LOCKFILE environment variable.
>>
>> It allows using iptables from a network namespace owned by an user
>> that has no write access to XT_LOCK_NAME (by default under /run), and
>> without setting up a new mount namespace.
>
> This sentence appears overly complicated to me. Isn't the problem just
> that XT_LOCK_NAME may not be writeable? That "user that has no write
> access" is typically root anyway as iptables doesn't support being
> called by non-privileged UIDs.
I'll rephrase it but it is really about the user not having access to the
lock file.
Without involving user namespaces, a simple reproducer for the issue can be:
$ caps="cap_net_admin,cap_net_raw,cap_setpcap,cap_setuid,cap_setgid"
$ capsh --caps="$caps"+eip --keep=1 --gid=1000 --uid=1000 \
--addamb="$caps" \
-- -c "iptables -F ..."
iptables seems to work fine even if the user is not running as root, as
long as enough capabilities are granted.
>> $ XTABLES_LOCKFILE=/tmp/xtables unshare -rn iptables ...
>>
>> Signed-off-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx>
>> ---
>> iptables/xshared.c | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> Could you please update the man page as well? Unless you clarify why
> this should be a hidden feature, of course. :)
sure, I'll send a v3 shortly.
Giuseppe
