From: Patrick McHardy <kaber@trash.net>
To: Sebastian Hagen <sebastian_hagen@memespace.net>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: libnetfilter_conntrack checks for (getuid() == 0)
Date: Tue, 15 Aug 2006 19:12:52 +0200 [thread overview]
Message-ID: <44E20094.8080309@trash.net> (raw)
In-Reply-To: <44E1FFF7.2010103@memespace.net>
Sebastian Hagen wrote:
> I'm in the process of writing a program that depends on
> libnetfilter_conntrack (currently using the current version, that is svn
> revision 6663), and have run into an annoyance.
> Obviously interfacing with the ip_conntrack_netlink module requires elevated
> privileges; I'm not quite certain what the required set of required
> privileges for initializing the socket is, but after that CAP_NET_ADMIN is
> definitely sufficient for using dump_conntrack_table().
>
> None of these operations, afaict, really require the process to have an uid
> of 0. Unfortunately libnetfilter_conntrack checks for that anyway,
> specifically in nfct_event_conntrack() and nfct_event_expectation(). The
> specific code is in both cases:
>
> if (getuid() != 0)
> return -EPERM;
>
> The actual useful code of these functions appears to me to be a strict
> subset of that of dump_conntrack_table(); so since dump_conntrack_table()
> continues to work with only CAP_NET_ADMIN, so should nfct_event_conntrack()
> and nfct_event_expectation().
> Additionally, if one does drop CAP_NET_ADMIN from the effective capability
> set, dump_conntrack_table() will return the error correctly.
>
> IMHO, these explicit checks for getuid() == 0...
> a) are wrong as they prevent the library user from dropping 'privileges'
> (uid==0 isn't strictly a privilege, but considering the file ownership on
> many systems, it might as well be) they really should be able to drop
>
> b) allow false negatives as uid 0 processes don't necessarily have CAP_NET_ADMIN
>
> c) are afaict completely useless in any event, since nfnl_listen() will fail
> correctly in the absence of CAP_NET_ADMIN
>
> ...and should therefore be removed.
Fully agreed.
> Please do correct me if I'm mistaken about any of this.
> If I'm not, should I make a patch for this? Since the fix would simply
> consist of removing the four mentioned lines from the source, doing that
> would be trivial.
Please send a patch.
next prev parent reply other threads:[~2006-08-15 17:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-15 17:10 libnetfilter_conntrack checks for (getuid() == 0) Sebastian Hagen
2006-08-15 17:12 ` Patrick McHardy [this message]
2006-08-15 17:45 ` Sebastian Hagen
2006-08-16 11:12 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44E20094.8080309@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=sebastian_hagen@memespace.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.