module owner does not work

module owner does not work

[Lentes, Bernd]

Hello,

I'd like to use the owner module to limit access to somes hosts just for some users. But it doesn't work.
My rule is:
iptables -I OUTPUT -d 0.0.0.0/0 -m owner --uid-owner 1000 -j REJECT
This is a very wide rule, just for testing purpose.

But uid 1000 is still able e.g. to send emails from the shell using mail.
I googeled already a lot, and found people saying the owner-module was canceled in Kernel 2.6.14, others saying that it still works in kernel 2.6.18. Some say it does not work with a SMP host. But i have the default kernel and only one CPU. Please help me, i'm running out of ideas.
I'm running SLES 10 SP3, kernel 2.6.16.60-0.59.1-default, iptables 1.3.5 .

Bernd

Re: module owner does not work

[Richard Horton]

On 1 March 2010 09:33, Lentes, Bernd <bernd.lentes@helmholtz-muenchen.de> wrote:
> Hello,
>
> I'd like to use the owner module to limit access to somes hosts just for some users. But it doesn't work.
> My rule is:
> iptables -I OUTPUT -d 0.0.0.0/0 -m owner --uid-owner 1000 -j REJECT
> This is a very wide rule, just for testing purpose.
>

Do pings still work?

If you have an MTA locally its probably not going out of the box as
the uid of the process which called mail but as the uid of the MTA...

-- 
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery

Re: module owner does not work

[Pascal Hambourg]

Hello,

Richard Horton a écrit :
> On 1 March 2010 09:33, Lentes, Bernd <bernd.lentes@helmholtz-muenchen.de> wrote:
>>
>> I'd like to use the owner module to limit access to somes hosts just
>> for some users. But it doesn't work.
>> My rule is:
>> iptables -I OUTPUT -d 0.0.0.0/0 -m owner --uid-owner 1000 -j REJECT
>> This is a very wide rule, just for testing purpose.
> 
> Do pings still work?

Probably, as ping runs with suid root. Better try with something like
telnet or netcat (nc).

>> But uid 1000 is still able e.g. to send emails from the shell using mail.
>
> If you have an MTA locally its probably not going out of the box as
> the uid of the process which called mail but as the uid of the MTA...

I agree.

>> I googeled already a lot, and found people saying the owner-module was
>> canceled in Kernel 2.6.14, others saying that it still works in kernel
>> 2.6.18. Some say it does not work with a SMP host. But i have the
>> default kernel and only one CPU.

AFAIK, only the --pid-owner, --sid-owner and --cmd-owner options are
broken on SMP and were removed in kernel 2.6.14. The 'owner' match,
--uid-owner and gid-owner options are still present and work.

AW: module owner does not work

[Lentes, Bernd]

Hi,

Pascal Hambourg wrote:

> Hello,
> 
> Richard Horton a écrit :
> > On 1 March 2010 09:33, Lentes, Bernd 
> <bernd.lentes@helmholtz-muenchen.de> wrote:
> >>

> > 
> > Do pings still work?
> 
> Probably, as ping runs with suid root. Better try with 
> something like telnet or netcat (nc).

I tried telnet, and it worked ! Thanks for your answer.

> 
> >> But uid 1000 is still able e.g. to send emails from the 
> shell using mail.
> >
> > If you have an MTA locally its probably not going out of the box as 
> > the uid of the process which called mail but as the uid of 
> the MTA...
> 
> I agree.
> 

I also agree.

Bernd