netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Lennart Poettering <lennart@poettering.net>
To: netfilter-devel@vger.kernel.org
Subject: xtables tools locking vulnerable to local DoS
Date: Mon, 12 Jan 2015 15:41:16 +0100	[thread overview]
Message-ID: <20150112144115.GA25098@gardel-login> (raw)

Heya,

I noticed that the iptables/xtables userspace tools implement a
locking scheme based on abstract namespace AF_UNIX sockets, in
xtables_lock() in iptables/xshared.c. This is vulnerable to local DoS,
since unprivileged clients can create that socket too, thus making all
iptables tools hang and hinder them from making changes to the
firewall. Abstract namespace AF_UNIX sockets are really not a suitable
locking primitive!

The code should probably be changed to use a file lock (BSD flock()
preferably) on a lock file in /run somewhere, with correct access
modes, so that unpriviliged users cannot play games with this.

Also, the sleep() loop around the AF_UNIX bind is pretty ugly anyway...

Lennart

                 reply	other threads:[~2015-01-12 14:47 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150112144115.GA25098@gardel-login \
    --to=lennart@poettering.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).