Re: [iptables PATCH] xshared: Fix response to unprivileged users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 27, 2022 at 06:21:10PM +0100, Pablo Neira Ayuso wrote:
> On Thu, Jan 27, 2022 at 06:08:31PM +0100, Phil Sutter wrote:
> > Hi Pablo,
> > 
> > On Thu, Jan 27, 2022 at 05:28:39PM +0100, Pablo Neira Ayuso wrote:
> > > On Thu, Jan 20, 2022 at 11:16:53AM +0100, Phil Sutter wrote:
> > > > Expected behaviour in both variants is:
> > > > 
> > > > * Print help without error, append extension help if -m and/or -j
> > > >   options are present
> > > > * Indicate lack of permissions in an error message for anything else
> > > > 
> > > > With iptables-nft, this was broken basically from day 1. Shared use of
> > > > do_parse() then somewhat broke legacy: it started complaining about
> > > > inability to create a lock file.
> > > > 
> > > > Fix this by making iptables-nft assume extension revision 0 is present
> > > > if permissions don't allow to verify. This is consistent with legacy.
> > > > 
> > > > Second part is to exit directly after printing help - this avoids having
> > > > to make the following code "nop-aware" to prevent privileged actions.
> > > 
> > > On top of this patch, it should be possible to allow for some
> > > nfnetlink command to be used from unpriviledged process.
> > > 
> > > I'm attaching a sketch patch, it skips module autoload which is should
> > > not be triggered by an unpriviledged process.
> > > 
> > > This should allow for better help with -m/-j if the module is present.
> > 
> > That's interesting. What's the use-case? With my patch, extension help
> > text printing works fine as unprivileged user. Does it allow to drop the
> > "revision == 0 && EPERM" hack?
> 
> Your patch is needed because we have to deal with older kernels.
> 
> You assume revision 0 in case of EPERM. My patch provides better help
> if the module is present since there is no need to assume revision 0.

Ah, that's a good point. Users always see rev0 help texts, which are
naturally the most limited ones.

> Anyway, I think your approach is fine for the unpriviledged scenario
> you describe. I just wanted to write here that there is room to extend
> nfnetlink to support for unpriviledged requests.

I see, thanks. Yet your approach works only if the module is loaded
already, right?

Unless it's useful elsewhere as well, I don't think it's worth the
effort for iptables alone - requesting extension help as non-root is
quite a corner-case IMHO.

Cheers, Phil



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux