* [PATCH nft] main: _exit() if setuid
@ 2021-10-16 22:56 Florian Westphal
2021-10-17 22:17 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2021-10-16 22:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Apparently some people think its a good idea to make nft setuid so
unrivilged users can change settings.
"nft -f /etc/shadow" is just one example of why this is a bad idea.
Disable this. Do not print anything, fd cannot be trusted.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/main.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/main.c b/src/main.c
index 21096fc7398b..5847fc4ad514 100644
--- a/src/main.c
+++ b/src/main.c
@@ -363,6 +363,10 @@ int main(int argc, char * const *argv)
unsigned int len;
int i, val, rc;
+ /* nftables cannot be used with setuid in a safe way. */
+ if (getuid() != geteuid())
+ _exit(111);
+
if (!nft_options_check(argc, argv))
exit(EXIT_FAILURE);
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH nft] main: _exit() if setuid
2021-10-16 22:56 [PATCH nft] main: _exit() if setuid Florian Westphal
@ 2021-10-17 22:17 ` Pablo Neira Ayuso
2021-10-19 10:41 ` Florian Westphal
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2021-10-17 22:17 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Sun, Oct 17, 2021 at 12:56:23AM +0200, Florian Westphal wrote:
> Apparently some people think its a good idea to make nft setuid so
> unrivilged users can change settings.
>
> "nft -f /etc/shadow" is just one example of why this is a bad idea.
> Disable this. Do not print anything, fd cannot be trusted.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> src/main.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/main.c b/src/main.c
> index 21096fc7398b..5847fc4ad514 100644
> --- a/src/main.c
> +++ b/src/main.c
> @@ -363,6 +363,10 @@ int main(int argc, char * const *argv)
> unsigned int len;
> int i, val, rc;
>
> + /* nftables cannot be used with setuid in a safe way. */
> + if (getuid() != geteuid())
> + _exit(111);
Applications using libnftables would still face the same issue.
> if (!nft_options_check(argc, argv))
> exit(EXIT_FAILURE);
>
> --
> 2.31.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH nft] main: _exit() if setuid
2021-10-17 22:17 ` Pablo Neira Ayuso
@ 2021-10-19 10:41 ` Florian Westphal
2021-10-19 11:54 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2021-10-19 10:41 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter-devel
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Sun, Oct 17, 2021 at 12:56:23AM +0200, Florian Westphal wrote:
> > Apparently some people think its a good idea to make nft setuid so
> > unrivilged users can change settings.
> >
> > "nft -f /etc/shadow" is just one example of why this is a bad idea.
> > Disable this. Do not print anything, fd cannot be trusted.
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > ---
> > src/main.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/src/main.c b/src/main.c
> > index 21096fc7398b..5847fc4ad514 100644
> > --- a/src/main.c
> > +++ b/src/main.c
> > @@ -363,6 +363,10 @@ int main(int argc, char * const *argv)
> > unsigned int len;
> > int i, val, rc;
> >
> > + /* nftables cannot be used with setuid in a safe way. */
> > + if (getuid() != geteuid())
> > + _exit(111);
>
> Applications using libnftables would still face the same issue.
Yes, but there is an off-chance they know what they are doing.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH nft] main: _exit() if setuid
2021-10-19 10:41 ` Florian Westphal
@ 2021-10-19 11:54 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2021-10-19 11:54 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Tue, Oct 19, 2021 at 12:41:03PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Sun, Oct 17, 2021 at 12:56:23AM +0200, Florian Westphal wrote:
> > > Apparently some people think its a good idea to make nft setuid so
> > > unrivilged users can change settings.
> > >
> > > "nft -f /etc/shadow" is just one example of why this is a bad idea.
> > > Disable this. Do not print anything, fd cannot be trusted.
> > >
> > > Signed-off-by: Florian Westphal <fw@strlen.de>
> > > ---
> > > src/main.c | 4 ++++
> > > 1 file changed, 4 insertions(+)
> > >
> > > diff --git a/src/main.c b/src/main.c
> > > index 21096fc7398b..5847fc4ad514 100644
> > > --- a/src/main.c
> > > +++ b/src/main.c
> > > @@ -363,6 +363,10 @@ int main(int argc, char * const *argv)
> > > unsigned int len;
> > > int i, val, rc;
> > >
> > > + /* nftables cannot be used with setuid in a safe way. */
> > > + if (getuid() != geteuid())
> > > + _exit(111);
> >
> > Applications using libnftables would still face the same issue.
>
> Yes, but there is an off-chance they know what they are doing.
Sounds sensible, I'd suggest you document this in the commit before
pushing.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-10-19 11:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-16 22:56 [PATCH nft] main: _exit() if setuid Florian Westphal
2021-10-17 22:17 ` Pablo Neira Ayuso
2021-10-19 10:41 ` Florian Westphal
2021-10-19 11:54 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.