From: Patrick McHardy <kaber@trash.net>
To: "Micha³ Miros³aw" <mirq-linux@rere.qmqm.pl>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: [RFC] Allowing non-root to get iptables info?
Date: Wed, 27 Feb 2008 13:43:40 +0100 [thread overview]
Message-ID: <47C55AFC.7090705@trash.net> (raw)
In-Reply-To: <20080227123122.GA22353@rere.qmqm.pl>
Please don't trim CC lists.
Micha³ Miros³aw wrote:
> On Wed, Feb 27, 2008 at 12:52:52PM +0100, Patrick McHardy wrote:
>> Stephen Hemminger wrote:
>>> Is there any strong reason why checking the status of iptables is
>>> restricted?
>>>
>>> Vyatta makes a distribution for routers. In our case, we use a non-root
>>> account
>>> for operator commands, and some of the commands are about querying
>>> iptables status.
>>> It seems to be less risky to just fix the kernel to allow non-root user to
>>> query rules
>>> than the current script that uses sudo. Another alternative would be
>>> building a special
>>> restricted command that could be setuid root, but just changing the kernel
>>> seems easiest.
>> I always thought of it as a privacy thing, similar to restricting
>> /proc/net/nf_conntrack. But since iptables rules usually don't
>> allow you to determine active connections just from the packet
>> counters that might be overkill. So I don't see any real harm
>> in allowing users to list the ruleset.
>
> At least for iptables, reading of iptables status can be done by making
> iptables-save setuid-root. So I think no kernel patching is necessary.
Thats true, but I wouldn't do that since iptables is not the
most trustworthy code.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2008-02-27 12:43 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080225094951.5bd89c9c@extreme>
2008-02-27 11:52 ` [RFC] Allowing non-root to get iptables info? Patrick McHardy
2008-02-27 12:31 ` Michał Mirosław
2008-02-27 12:43 ` Patrick McHardy [this message]
2008-02-27 12:59 ` Jozsef Kadlecsik
2008-02-27 13:04 ` Patrick McHardy
2008-02-27 14:39 ` mouss
2008-02-27 14:51 ` Patrick McHardy
2008-02-27 15:31 ` Phil Oester
2008-02-27 15:34 ` Patrick McHardy
2008-02-27 15:43 ` Phil Oester
2008-02-27 16:34 ` Stephen Hemminger
2008-02-27 16:53 ` Patrick McHardy
2008-02-27 17:48 ` mouss
2008-02-27 16:51 ` Jan Engelhardt
2008-02-27 12:18 ` Patrick McHardy
2008-02-28 9:18 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47C55AFC.7090705@trash.net \
--to=kaber@trash.net \
--cc=mirq-linux@rere.qmqm.pl \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.