* xtables tools locking vulnerable to local DoS
@ 2015-01-12 14:41 Lennart Poettering
0 siblings, 0 replies; only message in thread
From: Lennart Poettering @ 2015-01-12 14:41 UTC (permalink / raw)
To: netfilter-devel
Heya,
I noticed that the iptables/xtables userspace tools implement a
locking scheme based on abstract namespace AF_UNIX sockets, in
xtables_lock() in iptables/xshared.c. This is vulnerable to local DoS,
since unprivileged clients can create that socket too, thus making all
iptables tools hang and hinder them from making changes to the
firewall. Abstract namespace AF_UNIX sockets are really not a suitable
locking primitive!
The code should probably be changed to use a file lock (BSD flock()
preferably) on a lock file in /run somewhere, with correct access
modes, so that unpriviliged users cannot play games with this.
Also, the sleep() loop around the AF_UNIX bind is pretty ugly anyway...
Lennart
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2015-01-12 14:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-12 14:41 xtables tools locking vulnerable to local DoS Lennart Poettering
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).