[PATCH] ipt_recent: add module parameter for changing GID of /proc/net/ipt_recent/*

[PATCH] ipt_recent: add module parameter for changing GID of /proc/net/ipt_recent/*

[Daniel De Graaf]

[-- Attachment #1: Type: text/plain, Size: 590 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This patch adds an ip_list_gid module parameter to ipt_recent, which is
meant to be used in combination with the ip_list_perms. In the current
implementation, the files must either be world-writable or require
programs which write to them to be (at least) setgid root.

- - Daniel De Graaf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFErw5+Zz9quLVV3/MRAm89AKCLV3Q3GRXCd0g8NYd0mEbsQMKEhgCdF68k
CdOSO/Sg0iHlKM6xVuXOIqg=
=sOWs
-----END PGP SIGNATURE-----


[-- Attachment #2: ipt_recent.patch --]
[-- Type: text/x-patch, Size: 1333 bytes --]

--- base-2.6.17/net/ipv4/netfilter/ipt_recent.c	2006-06-19 18:47:51.000000000 -0500
+++ linux/net/ipv4/netfilter/ipt_recent.c	2006-07-07 19:20:10.000000000 -0500
@@ -28,6 +28,7 @@
 static unsigned int ip_pkt_list_tot = 20;
 static unsigned int ip_list_hash_size = 0;
 static unsigned int ip_list_perms = 0644;
+static unsigned int ip_list_gid = 0;
 #ifdef DEBUG
 static int debug = 1;
 #endif
@@ -42,6 +43,7 @@
 module_param(ip_pkt_list_tot, uint, 0400);
 module_param(ip_list_hash_size, uint, 0400);
 module_param(ip_list_perms, uint, 0400);
+module_param(ip_list_gid, uint, 0400);
 #ifdef DEBUG
 module_param(debug, bool, 0600);
 MODULE_PARM_DESC(debug,"enable debugging output");
@@ -50,6 +52,7 @@
 MODULE_PARM_DESC(ip_pkt_list_tot,"number of packets per IP to remember");
 MODULE_PARM_DESC(ip_list_hash_size,"size of hash table used to look up IPs");
 MODULE_PARM_DESC(ip_list_perms,"permissions on /proc/net/ipt_recent/* files");
+MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/ipt_recent/* files");
 
 /* Structure of our list of recently seen addresses. */
 struct recent_ip_list {
@@ -852,6 +855,7 @@
 	}
 	
 	curr_table->status_proc->owner = THIS_MODULE;
+	curr_table->status_proc->gid = ip_list_gid;
 	curr_table->status_proc->data = curr_table;
 	wmb();
 	curr_table->status_proc->read_proc = ip_recent_get_info;

Re: [PATCH] ipt_recent: add module parameter for changing GID of /proc/net/ipt_recent/*

[Patrick McHardy]

Daniel De Graaf wrote:
> This patch adds an ip_list_gid module parameter to ipt_recent, which is
> meant to be used in combination with the ip_list_perms. In the current
> implementation, the files must either be world-writable or require
> programs which write to them to be (at least) setgid root.
> 
> - Daniel De Graaf

 /* Structure of our list of recently seen addresses. */
 struct recent_ip_list {
@@ -852,6 +855,7 @@
 	}
 	
 	curr_table->status_proc->owner = THIS_MODULE;
+	curr_table->status_proc->gid = ip_list_gid;
 	curr_table->status_proc->data = curr_table;
 	wmb();
 	curr_table->status_proc->read_proc = ip_recent_get_info;


That code is gone for good, please check if your patch is still
necessary for current -git and resubmit in case it is.

Re: [PATCH] ipt_recent: add module parameter for changing GID of /proc/net/ipt_recent/*

[Daniel De Graaf]

[-- Attachment #1: Type: text/plain, Size: 1144 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick McHardy wrote:
> Daniel De Graaf wrote:
>> This patch adds an ip_list_gid module parameter to ipt_recent,
>> which is meant to be used in combination with the ip_list_perms.
>> In the current implementation, the files must either be
>> world-writable or require programs which write to them to be (at
>> least) setgid root.
>>
>> - Daniel De Graaf
>
> /* Structure of our list of recently seen addresses. */ struct
> recent_ip_list { @@ -852,6 +855,7 @@ } 
> curr_table->status_proc->owner = THIS_MODULE; +
> curr_table->status_proc->gid = ip_list_gid;
> curr_table->status_proc->data = curr_table; wmb();
> curr_table->status_proc->read_proc = ip_recent_get_info;
>
>
> That code is gone for good, please check if your patch is still
> necessary for current -git and resubmit in case it is.
Here's an updated patch against 2.6.18-rc1.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEryWfZz9quLVV3/MRAoFbAJ0bl5jhgADEm4ppII7etF4g4/Qc5ACfRtzQ
27lEptoQ9kHdv5XusVx7L1w=
=VJVi
-----END PGP SIGNATURE-----


[-- Attachment #2: ipt_recent.patch --]
[-- Type: text/x-patch, Size: 1108 bytes --]

--- ipt_recent.c.old	2006-07-07 22:17:37.000000000 -0500
+++ ipt_recent.c	2006-07-07 22:23:36.000000000 -0500
@@ -35,14 +35,17 @@
 static unsigned int ip_pkt_list_tot = 20;
 static unsigned int ip_list_hash_size = 0;
 static unsigned int ip_list_perms = 0644;
+static unsigned int ip_list_gid = 0;
 module_param(ip_list_tot, uint, 0400);
 module_param(ip_pkt_list_tot, uint, 0400);
 module_param(ip_list_hash_size, uint, 0400);
 module_param(ip_list_perms, uint, 0400);
+module_param(ip_list_gid, uint, 0400);
 MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
 MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP to remember (max. 255)");
 MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
 MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/ipt_recent/* files");
+MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/ipt_recent/* files");
 
 
 struct recent_entry {
@@ -274,6 +277,7 @@
 		goto out;
 	}
 	t->proc->proc_fops = &recent_fops;
+	t->proc->gid       = ip_list_gid;
 	t->proc->data      = t;
 #endif
 	spin_lock_bh(&recent_lock);

Re: [PATCH] ipt_recent: add module parameter for changing GID of /proc/net/ipt_recent/*

[Patrick McHardy]

Daniel De Graaf wrote:
> Patrick McHardy wrote:
> 
>>>Daniel De Graaf wrote:
>>>
>>>>This patch adds an ip_list_gid module parameter to ipt_recent,
>>>>which is meant to be used in combination with the ip_list_perms.
>>>>In the current implementation, the files must either be
>>>>world-writable or require programs which write to them to be (at
>>>>least) setgid root.
>>>>
> Here's an updated patch against 2.6.18-rc1.


I'm fine doing this, but just allowing to set group ownership without
user ownership will probably soon make someone else send me a second
patch, so please take care of this as well. Please also make sure your
patch applies with -p1 in the kernel tree root and don't forget to
sign off.

Re: [PATCH] ipt_recent: add module parameter for changing GID of /proc/net/ipt_recent/*

[Daniel De Graaf]

[-- Attachment #1: Type: text/plain, Size: 1102 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick McHardy wrote:
> Daniel De Graaf wrote:
>> Patrick McHardy wrote:
>>
>>>> Daniel De Graaf wrote:
>>>>
>>>>> This patch adds an ip_list_gid module parameter to
>>>>> ipt_recent, which is meant to be used in combination with
>>>>> the ip_list_perms. In the current implementation, the files
>>>>> must either be world-writable or require programs which
>>>>> write to them to be (at least) setgid root.
>>>>>
>> Here's an updated patch against 2.6.18-rc1.
>
>
> I'm fine doing this, but just allowing to set group ownership
> without user ownership will probably soon make someone else send me
> a second patch, so please take care of this as well. Please also
> make sure your patch applies with -p1 in the kernel tree root and
> don't forget to sign off.
>
Patch with UID setting and sign-off.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEr+mnZz9quLVV3/MRAh+VAJ0a1oTXKgSPRhYK4tczTfQ7EV8LjQCgjyFN
WSipG6xM0sS5TTNi40IuM5M=
=DKBS
-----END PGP SIGNATURE-----


[-- Attachment #2: ipt_recent.patch --]
[-- Type: text/x-patch, Size: 1528 bytes --]

Add support for setting the UID and GID of /proc/net/ipt_recent/* files.

Signed-off-by: Daniel De Graaf <danield@iastate.edu>

===================================================================
--- a/net/ipv4/netfilter/ipt_recent.c	2006-07-07 22:17:37.000000000 -0500
+++ b/net/ipv4/netfilter/ipt_recent.c	2006-07-08 11:49:10.000000000 -0500
@@ -35,14 +35,20 @@
 static unsigned int ip_pkt_list_tot = 20;
 static unsigned int ip_list_hash_size = 0;
 static unsigned int ip_list_perms = 0644;
+static unsigned int ip_list_uid = 0;
+static unsigned int ip_list_gid = 0;
 module_param(ip_list_tot, uint, 0400);
 module_param(ip_pkt_list_tot, uint, 0400);
 module_param(ip_list_hash_size, uint, 0400);
 module_param(ip_list_perms, uint, 0400);
+module_param(ip_list_uid, uint, 0400);
+module_param(ip_list_gid, uint, 0400);
 MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
 MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP to remember (max. 255)");
 MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
 MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/ipt_recent/* files");
+MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/ipt_recent/* files");
+MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/ipt_recent/* files");
 
 
 struct recent_entry {
@@ -274,6 +280,8 @@
 		goto out;
 	}
 	t->proc->proc_fops = &recent_fops;
+	t->proc->uid       = ip_list_uid;
+	t->proc->gid       = ip_list_gid;
 	t->proc->data      = t;
 #endif
 	spin_lock_bh(&recent_lock);

Re: [PATCH] ipt_recent: add module parameter for changing GID of /proc/net/ipt_recent/*

[Patrick McHardy]

Daniel De Graaf wrote:
> Add support for setting the UID and GID of /proc/net/ipt_recent/* files.

Applied, will probably push tomorrow. Thanks Daniel.