* Possible bug in iptables : -m --uid-owner not working with ping
@ 2012-10-22 14:38 matjaž
2012-10-22 14:43 ` AW: " Steffen Heil (Mailinglisten)
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: matjaž @ 2012-10-22 14:38 UTC (permalink / raw)
To: netfilter
Hi all,
Is it possible that owner matching does not work correctly ?
I tried blocking internet access to one user, but found out he can still
use ping.
Pleas see below : (I removed some lines from ping output for clarity -
also there are no other rules in iptables)
matjaz@laptop:~$ iptables --version
iptables v1.4.16.3
matjaz@laptop:~$ sudo iptables -F -t nat ; sudo iptables -F
matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=46.9 ms
# ok, works
matjaz@laptop:~$ id nonet
uid=1002(nonet) gid=1003(nonet) groups=1003(nonet)
matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --uid-owner
1002 -j REJECT
matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=46.7 ms
# not ok, still works
matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -j REJECT
matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
My machine :
matjaz@laptop:~$ cat /etc/issue
Ubuntu 12.04.1 LTS \n \l
matjaz@laptop:~$ uname -a
Linux laptop 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC
2012 x86_64 x86_64 x86_64 GNU/Linux
I installed the latest version of iptables (this didn't work even with
the ubuntu supplied version) from source and rebooted before testing. I
didn't uninstall the previous version before installation.
Also : the -match --uid-owner seems to work on other protocols.
Oddly enough, using group id instead seems to work :
matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=47.6 ms
--- 173.194.35.145 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 46.284/46.994/47.659/0.615 ms
matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --gid-owner
1003 -j REJECT
matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
From 192.168.2.151 icmp_seq=1 Destination Port Unreachable
--- 173.194.35.145 ping statistics ---
0 packets transmitted, 0 received, +3 errors
matjaz@laptop:~$ ping -c 3 173.194.35.145
PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=47.3 ms
--- 173.194.35.145 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 46.645/46.933/47.373/0.402 ms
Is this expected behaviour ?
Best regards,
Matjaž Berčič
^ permalink raw reply [flat|nested] 6+ messages in thread* AW: Possible bug in iptables : -m --uid-owner not working with ping
2012-10-22 14:38 Possible bug in iptables : -m --uid-owner not working with ping matjaž
@ 2012-10-22 14:43 ` Steffen Heil (Mailinglisten)
2012-10-22 16:19 ` Jan Engelhardt
2012-10-22 14:44 ` Eric Leblond
2012-10-22 14:44 ` /dev/rob0
2 siblings, 1 reply; 6+ messages in thread
From: Steffen Heil (Mailinglisten) @ 2012-10-22 14:43 UTC (permalink / raw)
To: matjaž, netfilter@vger.kernel.org
[-- Attachment #1: Type: text/plain, Size: 3621 bytes --]
Hi
On my system /bin/ping has suid-bit set.
So it it always executed as root, not as the user invoking it.
As far as I know, ping requires root privileges...
Regards,
Steffen
> -----Ursprüngliche Nachricht-----
> Von: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] Im Auftrag von matjaž
> Gesendet: Montag, 22. Oktober 2012 16:39
> An: netfilter@vger.kernel.org
> Betreff: Possible bug in iptables : -m --uid-owner not working with ping
>
> Hi all,
> Is it possible that owner matching does not work correctly ?
> I tried blocking internet access to one user, but found out he can still
> use ping.
> Pleas see below : (I removed some lines from ping output for clarity -
> also there are no other rules in iptables)
>
> matjaz@laptop:~$ iptables --version
> iptables v1.4.16.3
> matjaz@laptop:~$ sudo iptables -F -t nat ; sudo iptables -F
> matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=46.9 ms
> # ok, works
> matjaz@laptop:~$ id nonet
> uid=1002(nonet) gid=1003(nonet) groups=1003(nonet)
> matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --uid-owner
> 1002 -j REJECT
> matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=46.7 ms
> # not ok, still works
> matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -j REJECT
> matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> ping: sendmsg: Operation not permitted
>
> My machine :
> matjaz@laptop:~$ cat /etc/issue
> Ubuntu 12.04.1 LTS \n \l
> matjaz@laptop:~$ uname -a
> Linux laptop 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC
> 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> I installed the latest version of iptables (this didn't work even with
> the ubuntu supplied version) from source and rebooted before testing. I
> didn't uninstall the previous version before installation.
>
> Also : the -match --uid-owner seems to work on other protocols.
>
> Oddly enough, using group id instead seems to work :
> matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=47.6 ms
> --- 173.194.35.145 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2002ms
> rtt min/avg/max/mdev = 46.284/46.994/47.659/0.615 ms
> matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --gid-owner
> 1003 -j REJECT
> matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> From 192.168.2.151 icmp_seq=1 Destination Port Unreachable
> --- 173.194.35.145 ping statistics ---
> 0 packets transmitted, 0 received, +3 errors
> matjaz@laptop:~$ ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=47.3 ms
> --- 173.194.35.145 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2003ms
> rtt min/avg/max/mdev = 46.645/46.933/47.373/0.402 ms
>
> Is this expected behaviour ?
> Best regards,
> Matjaž Berčič
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6559 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: AW: Possible bug in iptables : -m --uid-owner not working with ping
2012-10-22 14:43 ` AW: " Steffen Heil (Mailinglisten)
@ 2012-10-22 16:19 ` Jan Engelhardt
2012-10-22 18:56 ` matjaž
0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2012-10-22 16:19 UTC (permalink / raw)
To: Steffen Heil; +Cc: matjaž, Netfilter user mailing list, rob0, Eric Lebond
On Monday 2012-10-22 16:43, Steffen Heil (Mailinglisten) wrote:
>Hi
>
>On my system /bin/ping has suid-bit set.
>So it it always executed as root, not as the user invoking it.
>
>As far as I know, ping requires root privileges...
Linux supports
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP)
since v3.0, so ping does not _strictly_ need root anymore - and
meanwhile fixes your owner "mismatch".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: AW: Possible bug in iptables : -m --uid-owner not working with ping
2012-10-22 16:19 ` Jan Engelhardt
@ 2012-10-22 18:56 ` matjaž
0 siblings, 0 replies; 6+ messages in thread
From: matjaž @ 2012-10-22 18:56 UTC (permalink / raw)
To: Jan Engelhardt
Cc: Steffen Heil, Netfilter user mailing list, rob0, Eric Lebond
Thank you all for your explanations.
And yes, my ping is suid and this solves my problems.
Best regards,
Matjaž
On 10/22/2012 06:19 PM, Jan Engelhardt wrote:
> On Monday 2012-10-22 16:43, Steffen Heil (Mailinglisten) wrote:
>
>> Hi
>>
>> On my system /bin/ping has suid-bit set.
>> So it it always executed as root, not as the user invoking it.
>>
>> As far as I know, ping requires root privileges...
>
> Linux supports
>
> socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP)
>
> since v3.0, so ping does not _strictly_ need root anymore - and
> meanwhile fixes your owner "mismatch".
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Possible bug in iptables : -m --uid-owner not working with ping
2012-10-22 14:38 Possible bug in iptables : -m --uid-owner not working with ping matjaž
2012-10-22 14:43 ` AW: " Steffen Heil (Mailinglisten)
@ 2012-10-22 14:44 ` Eric Leblond
2012-10-22 14:44 ` /dev/rob0
2 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2012-10-22 14:44 UTC (permalink / raw)
To: matjaž; +Cc: netfilter
Hi,
Le lundi 22 octobre 2012 à 16:38 +0200, matjaž a écrit :
> Hi all,
> Is it possible that owner matching does not work correctly ?
> I tried blocking internet access to one user, but found out he can still
> use ping.
> Pleas see below : (I removed some lines from ping output for clarity -
> also there are no other rules in iptables)
>
> matjaz@laptop:~$ iptables --version
> iptables v1.4.16.3
> matjaz@laptop:~$ sudo iptables -F -t nat ; sudo iptables -F
> matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=46.9 ms
> # ok, works
> matjaz@laptop:~$ id nonet
> uid=1002(nonet) gid=1003(nonet) groups=1003(nonet)
> matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --uid-owner
> 1002 -j REJECT
> matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=46.7 ms
> # not ok, still works
> matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -j REJECT
> matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> ping: sendmsg: Operation not permitted
There is one command missing in your list of commands ;)
$ ls -l $(which ping)
-rwsr-xr-x 1 root root 34780 oct. 3 00:26 /bin/ping
ping is setuid as it sends low level packet so the id seen by system is
root.
BR,
> My machine :
> matjaz@laptop:~$ cat /etc/issue
> Ubuntu 12.04.1 LTS \n \l
> matjaz@laptop:~$ uname -a
> Linux laptop 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC
> 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> I installed the latest version of iptables (this didn't work even with
> the ubuntu supplied version) from source and rebooted before testing. I
> didn't uninstall the previous version before installation.
>
> Also : the -match --uid-owner seems to work on other protocols.
>
> Oddly enough, using group id instead seems to work :
> matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=47.6 ms
> --- 173.194.35.145 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2002ms
> rtt min/avg/max/mdev = 46.284/46.994/47.659/0.615 ms
> matjaz@laptop:~$ sudo iptables -A OUTPUT -p icmp -m owner --gid-owner
> 1003 -j REJECT
> matjaz@laptop:~$ sudo -u nonet ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> From 192.168.2.151 icmp_seq=1 Destination Port Unreachable
> --- 173.194.35.145 ping statistics ---
> 0 packets transmitted, 0 received, +3 errors
> matjaz@laptop:~$ ping -c 3 173.194.35.145
> PING 173.194.35.145 (173.194.35.145) 56(84) bytes of data.
> 64 bytes from 173.194.35.145: icmp_req=1 ttl=51 time=47.3 ms
> --- 173.194.35.145 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2003ms
> rtt min/avg/max/mdev = 46.645/46.933/47.373/0.402 ms
>
> Is this expected behaviour ?
> Best regards,
> Matjaž Berčič
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Possible bug in iptables : -m --uid-owner not working with ping
2012-10-22 14:38 Possible bug in iptables : -m --uid-owner not working with ping matjaž
2012-10-22 14:43 ` AW: " Steffen Heil (Mailinglisten)
2012-10-22 14:44 ` Eric Leblond
@ 2012-10-22 14:44 ` /dev/rob0
2 siblings, 0 replies; 6+ messages in thread
From: /dev/rob0 @ 2012-10-22 14:44 UTC (permalink / raw)
To: netfilter
On Mon, Oct 22, 2012 at 04:38:35PM +0200, matja¸ wrote:
> Is it possible that owner matching does not work correctly ?
> I tried blocking internet access to one user, but found out he can
> still use ping.
ping(1) must be SUID to have the privilege to make ICMP echo request
packets. Therefore outgoing pings are done as root.
Your solution would be to change permissions of your ping binary such
that the user in question cannot execute it.
snip
> Also : the -match --uid-owner seems to work on other protocols.
Indeed.
> Oddly enough, using group id instead seems to work :
snip
> Is this expected behaviour ?
Yes.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-10-22 18:56 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-22 14:38 Possible bug in iptables : -m --uid-owner not working with ping matjaž
2012-10-22 14:43 ` AW: " Steffen Heil (Mailinglisten)
2012-10-22 16:19 ` Jan Engelhardt
2012-10-22 18:56 ` matjaž
2012-10-22 14:44 ` Eric Leblond
2012-10-22 14:44 ` /dev/rob0
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.