From: Patrick McHardy <kaber@trash.net>
To: Stephen Hemminger <shemminger@vyatta.com>
Cc: "Phil Oester" <kernel@linuxace.com>, mouss <mouss@netoyen.net>,
"Jozsef Kadlecsik" <kadlec@blackhole.kfki.hu>,
"Micha³ Miros³aw" <mirq-linux@rere.qmqm.pl>,
"Netfilter Developer Mailing List"
<netfilter-devel@vger.kernel.org>
Subject: Re: [RFC] Allowing non-root to get iptables info?
Date: Wed, 27 Feb 2008 17:53:35 +0100 [thread overview]
Message-ID: <47C5958F.3000704@trash.net> (raw)
In-Reply-To: <20080227083436.68fe60e3@extreme>
Stephen Hemminger wrote:
> On Wed, 27 Feb 2008 07:43:20 -0800
> Phil Oester <kernel@linuxace.com> wrote:
>
>> On Wed, Feb 27, 2008 at 04:34:38PM +0100, Patrick McHardy wrote:
>>> Phil Oester wrote:
>>>> I really don't think this is a good idea. We allow non-root users
>>>> on some of our firewalls, and I don't want them to see the ruleset.
>>>> Also, it helps miscreants to better pick their targets, if they
>>>> know in advance which ports are opened.
>>>
>>> They could also find out about this simply by probing ports ...
>> And assuming a /16 with 65K ports, that would take a bit longer than
>> the few seconds it takes to dump the ruleset. Why make it easier
>> than it has to be?
>>
>>>> If making this change, *please* consider making it configurable,
>>>> with the default being NO access.
>>>
>>> No, in that case I prefer to keep it restricted to root
>>> unconditionally. Using sudo to get the rules is no big
>>> deal I guess.
>
> Well in our case of router administration the risk of allowing an operator
> sudo access to iptables is higher than the risk of exposing ports to wankers.
> This is a special purpose distribution, so we will allow it, how about
> a config option or sysctl?
I don't like having things like this controlled through config
options or sysctls. I'd take a patch, but I'd prefer not to.
next prev parent reply other threads:[~2008-02-27 16:54 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080225094951.5bd89c9c@extreme>
2008-02-27 11:52 ` [RFC] Allowing non-root to get iptables info? Patrick McHardy
2008-02-27 12:31 ` Michał Mirosław
2008-02-27 12:43 ` Patrick McHardy
2008-02-27 12:59 ` Jozsef Kadlecsik
2008-02-27 13:04 ` Patrick McHardy
2008-02-27 14:39 ` mouss
2008-02-27 14:51 ` Patrick McHardy
2008-02-27 15:31 ` Phil Oester
2008-02-27 15:34 ` Patrick McHardy
2008-02-27 15:43 ` Phil Oester
2008-02-27 16:34 ` Stephen Hemminger
2008-02-27 16:53 ` Patrick McHardy [this message]
2008-02-27 17:48 ` mouss
2008-02-27 16:51 ` Jan Engelhardt
2008-02-27 12:18 ` Patrick McHardy
2008-02-28 9:18 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47C5958F.3000704@trash.net \
--to=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=kernel@linuxace.com \
--cc=mirq-linux@rere.qmqm.pl \
--cc=mouss@netoyen.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=shemminger@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.