Re: module owner does not work

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: module owner does not work
Date: Mon, 01 Mar 2010 12:20:52 +0100	[thread overview]
Message-ID: <4B8BA314.60804@plouf.fr.eu.org> (raw)
In-Reply-To: <56378e321003010306n21050b6dwd01154e0420b666a@mail.gmail.com>

Hello,

Richard Horton a écrit :
> On 1 March 2010 09:33, Lentes, Bernd <bernd.lentes@helmholtz-muenchen.de> wrote:
>>
>> I'd like to use the owner module to limit access to somes hosts just
>> for some users. But it doesn't work.
>> My rule is:
>> iptables -I OUTPUT -d 0.0.0.0/0 -m owner --uid-owner 1000 -j REJECT
>> This is a very wide rule, just for testing purpose.
> 
> Do pings still work?

Probably, as ping runs with suid root. Better try with something like
telnet or netcat (nc).

>> But uid 1000 is still able e.g. to send emails from the shell using mail.
>
> If you have an MTA locally its probably not going out of the box as
> the uid of the process which called mail but as the uid of the MTA...

I agree.

>> I googeled already a lot, and found people saying the owner-module was
>> canceled in Kernel 2.6.14, others saying that it still works in kernel
>> 2.6.18. Some say it does not work with a SMP host. But i have the
>> default kernel and only one CPU.

AFAIK, only the --pid-owner, --sid-owner and --cmd-owner options are
broken on SMP and were removed in kernel 2.6.14. The 'owner' match,
--uid-owner and gid-owner options are still present and work.

next prev parent reply	other threads:[~2010-03-01 11:20 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-01  9:33 module owner does not work Lentes, Bernd
2010-03-01 11:06 ` Richard Horton
2010-03-01 11:20   ` Pascal Hambourg [this message]
2010-03-01 17:03     ` AW: " Lentes, Bernd

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B8BA314.60804@plouf.fr.eu.org \
    --to=pascal.mail@plouf.fr.eu.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.