From: Auke Kok <auke-jan.h.kok@intel.com>
To: Stephen Hemminger <shemminger@osdl.org>, Jeff Garzik <jgarzik@pobox.com>
Cc: netdev@vger.kernel.org, Jesse Brandeburg <jesse.brandeburg@intel.com>
Subject: Re: [RFC] let mortals use ethtool
Date: Thu, 28 Sep 2006 12:56:25 -0700 [thread overview]
Message-ID: <451C28E9.6040708@intel.com> (raw)
In-Reply-To: <20060928122514.112a19a8@dxpl.pdx.osdl.net>
Stephen Hemminger wrote:
> There is no reason to not allow non-admin users to query network
> statistics and settings.
>
>
> --- linux-2.6.orig/net/core/ethtool.c
> +++ linux-2.6/net/core/ethtool.c
> @@ -806,13 +806,6 @@ int dev_ethtool(struct ifreq *ifr)
> int rc;
> unsigned long old_features;
>
> - /*
> - * XXX: This can be pushed down into the ethtool_* handlers that
> - * need it. Keep existing behaviour for the moment.
> - */
> - if (!capable(CAP_NET_ADMIN))
> - return -EPERM;
> -
> if (!dev || !netif_device_present(dev))
> return -ENODEV;
>
> @@ -822,6 +815,33 @@ int dev_ethtool(struct ifreq *ifr)
> if (copy_from_user(ðcmd, useraddr, sizeof (ethcmd)))
> return -EFAULT;
>
> + /* Allow some commands to be done by anyone */
> + switch(ethcmd) {
> + case ETHTOOL_GSET:
> + case ETHTOOL_GDRVINFO:
> + case ETHTOOL_GREGS:
> + case ETHTOOL_GWOL:
> + case ETHTOOL_GMSGLVL:
> + case ETHTOOL_GLINK:
> + case ETHTOOL_GCOALESCE:
> + case ETHTOOL_GRINGPARAM:
> + case ETHTOOL_GPAUSEPARAM:
> + case ETHTOOL_GRXCSUM:
> + case ETHTOOL_GTXCSUM:
> + case ETHTOOL_GSG:
> + case ETHTOOL_GSTRINGS:
> + case ETHTOOL_PHYS_ID:
PHYS_ID pokes in hardware and makes it jump through hoops, in the case of some hardware
this could create a local DOS attack (e1000 suffers fromt his, probably more if not all)
where the NIC might stop receiving packets, or the big lock is help indefinately.
Not a good idea
The other ones are fine I think.
Auke
> + case ETHTOOL_GSTATS:
> + case ETHTOOL_GTSO:
> + case ETHTOOL_GPERMADDR:
> + case ETHTOOL_GUFO:
> + case ETHTOOL_GGSO:
> + break;
> + default:
> + if (!capable(CAP_NET_ADMIN))
> + return -EPERM;
> + }
> +
> if(dev->ethtool_ops->begin)
> if ((rc = dev->ethtool_ops->begin(dev)) < 0)
> return rc;
> @@ -947,6 +967,10 @@ int dev_ethtool(struct ifreq *ifr)
> return rc;
>
> ioctl:
> + /* Keep existing behaviour for the moment. */
> + if (!capable(CAP_NET_ADMIN))
> + return -EPERM;
> +
> if (dev->do_ioctl)
> return dev->do_ioctl(dev, ifr, SIOCETHTOOL);
> return -EOPNOTSUPP;
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2006-09-28 19:58 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-28 19:25 [RFC] let mortals use ethtool Stephen Hemminger
2006-09-28 19:53 ` James Morris
2006-09-28 20:43 ` Jeff Garzik
2006-09-28 19:56 ` Auke Kok [this message]
2006-09-28 21:53 ` David Miller
2006-09-28 22:03 ` Michael Chan
2006-09-28 22:22 ` David Miller
2006-09-28 20:17 ` Michael Chan
2006-09-28 20:28 ` Jeff Garzik
2006-09-28 20:32 ` James Morris
2006-09-28 20:35 ` Jeff Garzik
2006-09-28 20:39 ` Michael Chan
2006-09-28 22:16 ` David Miller
2006-09-28 22:30 ` Jeff Garzik
2006-09-28 22:13 ` David Miller
2006-09-28 22:25 ` Jeff Garzik
2006-09-28 22:33 ` David Miller
2006-09-28 20:23 ` Jeff Garzik
2006-09-28 22:15 ` David Miller
2006-09-28 22:41 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=451C28E9.6040708@intel.com \
--to=auke-jan.h.kok@intel.com \
--cc=jesse.brandeburg@intel.com \
--cc=jgarzik@pobox.com \
--cc=netdev@vger.kernel.org \
--cc=shemminger@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.