From: Patrick McHardy <kaber@trash.net>
To: stable@kernel.org
Cc: netfilter-devel@lists.netfilter.org,
Patrick McHardy <kaber@trash.net>,
davem@davemloft.net
Subject: [NETFILTER 01/08]: Missing check for CAP_NET_ADMIN in iptables compat layer
Date: Fri, 17 Nov 2006 06:35:41 +0100 (MET) [thread overview]
Message-ID: <20061117053541.10231.82376.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20061117053540.10231.92379.sendpatchset@localhost.localdomain>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1483 bytes --]
[NETFILTER]: ip_tables: missing check for CAP_NET_ADMIN in compat layer
The 32bit compatibility layer has no CAP_NET_ADMIN check in
compat_do_ipt_get_ctl, which for example allows to list the current
iptables rules even without having that capability (the non-compat
version requires it). Other capabilities might be required to exploit
the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user
can't exploit it, but a setup actually using the posix capability system
might very well hit such a constellation of granted capabilities.
Signed-off-by: Björn Steinbrink <B.Steinbrink@gmx.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
commit 4410392a8258fd972fc08a336278b14c82b2774f
tree 567261d003b2a8fb08c2d89d0d708dd06f357f49
parent b4d854665eafe32b48e0eecadb91a73f6eea0055
author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:07 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:07 +0100
net/ipv4/netfilter/ip_tables.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 048514f..c64340b 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1994,6 +1994,9 @@ compat_do_ipt_get_ctl(struct sock *sk, i
{
int ret;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
switch (cmd) {
case IPT_SO_GET_INFO:
ret = get_info(user, len, 1);
next prev parent reply other threads:[~2006-11-17 5:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-17 5:35 [NETFILTER 00/08]: Netfilter -stable fixes Patrick McHardy
2006-11-17 5:35 ` Patrick McHardy [this message]
2006-11-17 5:35 ` [NETFILTER 02/08]: ip_tables: compat error way cleanup Patrick McHardy
2006-11-17 5:35 ` [NETFILTER 03/08]: ip_tables: fix module refcount leaks in compat error paths Patrick McHardy
2006-11-17 5:35 ` [NETFILTER 04/08]: Missed and reordered checks in {arp, ip, ip6}_tables Patrick McHardy
2006-11-17 5:35 ` [NETFILTER 05/08]: arp_tables: missing unregistration on module unload Patrick McHardy
2006-11-17 5:35 ` [NETFILTER 06/08]: Honour source routing for LVS-NAT Patrick McHardy
2006-11-17 5:35 ` [NETFILTER 07/08]: Kconfig: fix xt_physdev dependencies Patrick McHardy
2006-11-17 5:35 ` [NETFILTER 08/08]: xt_CONNSECMARK: fix Kconfig dependencies Patrick McHardy
2006-11-17 7:02 ` [stable] [NETFILTER 00/08]: Netfilter -stable fixes Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061117053541.10231.82376.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.