Re: [RFC] Allowing non-root to get iptables info?

Re: [RFC] Allowing non-root to get iptables info?

[Patrick McHardy]

Stephen Hemminger wrote:
> Is there any strong reason why checking the status of iptables is restricted?
>
> Vyatta makes a distribution for routers. In our case, we use a non-root account
> for operator commands, and some of the commands are about querying iptables status.
> It seems to be less risky to just fix the kernel to allow non-root user to query rules
> than the current script that uses sudo. Another alternative would be building a special
> restricted command that could be setuid root, but just changing the kernel seems easiest.
>   

I always thought of it as a privacy thing, similar to restricting
/proc/net/nf_conntrack. But since iptables rules usually don't
allow you to determine active connections just from the packet
counters that might be overkill. So I don't see any real harm
in allowing users to list the ruleset.

I'll queue this patch for 2.6.26 if nobody has any objections.

Re: [RFC] Allowing non-root to get iptables info?

[Patrick McHardy]

Stephen Hemminger wrote:
> Is there any strong reason why checking the status of iptables is restricted?
> 
> Vyatta makes a distribution for routers. In our case, we use a non-root account
> for operator commands, and some of the commands are about querying iptables status.
> It seems to be less risky to just fix the kernel to allow non-root user to query rules
> than the current script that uses sudo. Another alternative would be building a special
> restricted command that could be setuid root, but just changing the kernel seems easiest.
> 
> 
> 
> Subject: [PATCH] allow non-root to query iptables
> 
> This change allows non-root users to do 'iptables -L'.
> 
> ---
>  net/ipv4/netfilter/ip_tables.c  |    6 ------
>  net/ipv6/netfilter/ip6_tables.c |    3 ---
>  2 files changed, 0 insertions(+), 9 deletions(-)


We should also change arp_tables and ebtables. If you send me an
updated patch I'll queue it for 2.6.26.

Re: [RFC] Allowing non-root to get iptables info?

[Michał Mirosław]

On Wed, Feb 27, 2008 at 12:52:52PM +0100, Patrick McHardy wrote:
> Stephen Hemminger wrote:
> >Is there any strong reason why checking the status of iptables is 
> >restricted?
> >
> >Vyatta makes a distribution for routers. In our case, we use a non-root 
> >account
> >for operator commands, and some of the commands are about querying 
> >iptables status.
> >It seems to be less risky to just fix the kernel to allow non-root user to 
> >query rules
> >than the current script that uses sudo. Another alternative would be 
> >building a special
> >restricted command that could be setuid root, but just changing the kernel 
> >seems easiest.
> I always thought of it as a privacy thing, similar to restricting
> /proc/net/nf_conntrack. But since iptables rules usually don't
> allow you to determine active connections just from the packet
> counters that might be overkill. So I don't see any real harm
> in allowing users to list the ruleset.

At least for iptables, reading of iptables status can be done by making
iptables-save setuid-root. So I think no kernel patching is necessary.

 -- Michal Miroslaw

Re: [RFC] Allowing non-root to get iptables info?

[Patrick McHardy]

Please don't trim CC lists.

Micha³ Miros³aw wrote:
> On Wed, Feb 27, 2008 at 12:52:52PM +0100, Patrick McHardy wrote:
>> Stephen Hemminger wrote:
>>> Is there any strong reason why checking the status of iptables is 
>>> restricted?
>>>
>>> Vyatta makes a distribution for routers. In our case, we use a non-root 
>>> account
>>> for operator commands, and some of the commands are about querying 
>>> iptables status.
>>> It seems to be less risky to just fix the kernel to allow non-root user to 
>>> query rules
>>> than the current script that uses sudo. Another alternative would be 
>>> building a special
>>> restricted command that could be setuid root, but just changing the kernel 
>>> seems easiest.
>> I always thought of it as a privacy thing, similar to restricting
>> /proc/net/nf_conntrack. But since iptables rules usually don't
>> allow you to determine active connections just from the packet
>> counters that might be overkill. So I don't see any real harm
>> in allowing users to list the ruleset.
> 
> At least for iptables, reading of iptables status can be done by making
> iptables-save setuid-root. So I think no kernel patching is necessary.


Thats true, but I wouldn't do that since iptables is not the
most trustworthy code.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC] Allowing non-root to get iptables info?

[Jozsef Kadlecsik]

On Wed, 27 Feb 2008, Patrick McHardy wrote:

> Micha? Miros?aw wrote:
> > On Wed, Feb 27, 2008 at 12:52:52PM +0100, Patrick McHardy wrote:
> > > Stephen Hemminger wrote:
> > > > Is there any strong reason why checking the status of iptables is
> > > > restricted?
> > > > 
> > > > Vyatta makes a distribution for routers. In our case, we use a non-root
> > > > account
> > > > for operator commands, and some of the commands are about querying
> > > > iptables status.
> > > > It seems to be less risky to just fix the kernel to allow non-root user
> > > > to query rules
> > > > than the current script that uses sudo. Another alternative would be
> > > > building a special
> > > > restricted command that could be setuid root, but just changing the
> > > > kernel seems easiest.
> > > I always thought of it as a privacy thing, similar to restricting
> > > /proc/net/nf_conntrack. But since iptables rules usually don't
> > > allow you to determine active connections just from the packet
> > > counters that might be overkill. So I don't see any real harm
> > > in allowing users to list the ruleset.
> > 
> > At least for iptables, reading of iptables status can be done by making
> > iptables-save setuid-root. So I think no kernel patching is necessary.
> 
> Thats true, but I wouldn't do that since iptables is not the
> most trustworthy code.

I'd be more happy with a module parameter and/or proc switch by which this 
new feature could be enabled. So backward compatibility could be kept and 
the users could list the rules only if the system is explicitly configured 
to allow it.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [RFC] Allowing non-root to get iptables info?

[Patrick McHardy]

[Adding Stephen back to CC list]

Jozsef Kadlecsik wrote:
> On Wed, 27 Feb 2008, Patrick McHardy wrote:
> 
>> Micha? Miros?aw wrote:
>>> On Wed, Feb 27, 2008 at 12:52:52PM +0100, Patrick McHardy wrote:
>>>> Stephen Hemminger wrote:
>>>>> Is there any strong reason why checking the status of iptables is
>>>>> restricted?
>>>>>
>>>>> Vyatta makes a distribution for routers. In our case, we use a non-root
>>>>> account
>>>>> for operator commands, and some of the commands are about querying
>>>>> iptables status.
>>>>> It seems to be less risky to just fix the kernel to allow non-root user
>>>>> to query rules
>>>>> than the current script that uses sudo. Another alternative would be
>>>>> building a special
>>>>> restricted command that could be setuid root, but just changing the
>>>>> kernel seems easiest.
>>>> I always thought of it as a privacy thing, similar to restricting
>>>> /proc/net/nf_conntrack. But since iptables rules usually don't
>>>> allow you to determine active connections just from the packet
>>>> counters that might be overkill. So I don't see any real harm
>>>> in allowing users to list the ruleset.
>>> At least for iptables, reading of iptables status can be done by making
>>> iptables-save setuid-root. So I think no kernel patching is necessary.
>> Thats true, but I wouldn't do that since iptables is not the
>> most trustworthy code.
> 
> I'd be more happy with a module parameter and/or proc switch by which this 
> new feature could be enabled. So backward compatibility could be kept and 
> the users could list the rules only if the system is explicitly configured 
> to allow it.


I don't think compatibility is a problem here, lifting this
restriction can't possibly break anything in userspace.

The question is more whether this causes privacy or other issues,
if yes, we shouldn't do it, otherwise there's no harm in doing
in unconditionally. I personally don't see any problems with
this change.

Re: [RFC] Allowing non-root to get iptables info?

[mouss]

Patrick McHardy wrote:
> [Adding Stephen back to CC list]
>
> Jozsef Kadlecsik wrote:
>> On Wed, 27 Feb 2008, Patrick McHardy wrote:
>>
>>> Micha? Miros?aw wrote:
>>>> On Wed, Feb 27, 2008 at 12:52:52PM +0100, Patrick McHardy wrote:
>>>>> Stephen Hemminger wrote:
>>>>>> Is there any strong reason why checking the status of iptables is
>>>>>> restricted?
>>>>>>
>>>>>> Vyatta makes a distribution for routers. In our case, we use a 
>>>>>> non-root
>>>>>> account
>>>>>> for operator commands, and some of the commands are about querying
>>>>>> iptables status.
>>>>>> It seems to be less risky to just fix the kernel to allow 
>>>>>> non-root user
>>>>>> to query rules
>>>>>> than the current script that uses sudo. Another alternative would be
>>>>>> building a special
>>>>>> restricted command that could be setuid root, but just changing the
>>>>>> kernel seems easiest.
>>>>> I always thought of it as a privacy thing, similar to restricting
>>>>> /proc/net/nf_conntrack. But since iptables rules usually don't
>>>>> allow you to determine active connections just from the packet
>>>>> counters that might be overkill. So I don't see any real harm
>>>>> in allowing users to list the ruleset.
>>>> At least for iptables, reading of iptables status can be done by 
>>>> making
>>>> iptables-save setuid-root. So I think no kernel patching is necessary.
>>> Thats true, but I wouldn't do that since iptables is not the
>>> most trustworthy code.
>>
>> I'd be more happy with a module parameter and/or proc switch by which 
>> this new feature could be enabled. So backward compatibility could be 
>> kept and the users could list the rules only if the system is 
>> explicitly configured to allow it.
>
>
> I don't think compatibility is a problem here, lifting this
> restriction can't possibly break anything in userspace.
>
> The question is more whether this causes privacy or other issues,
> if yes, we shouldn't do it, otherwise there's no harm in doing
> in unconditionally. I personally don't see any problems with
> this change.


on a server where are allowed to run commands, but we don't want them to 
know more than they should, I am not sure one wants them to see the 
rules. call it security by obscurity if you like, but some people may 
want this. I guess this is what Jozef meant by compatibility (is it 
"least surprise"?).

Re: [RFC] Allowing non-root to get iptables info?

[Patrick McHardy]

mouss wrote:
> Patrick McHardy wrote:
>> [Adding Stephen back to CC list]
>>
>> Jozsef Kadlecsik wrote:
>>> I'd be more happy with a module parameter and/or proc switch by which 
>>> this new feature could be enabled. So backward compatibility could be 
>>> kept and the users could list the rules only if the system is 
>>> explicitly configured to allow it.
>>
>>
>> I don't think compatibility is a problem here, lifting this
>> restriction can't possibly break anything in userspace.
>>
>> The question is more whether this causes privacy or other issues,
>> if yes, we shouldn't do it, otherwise there's no harm in doing
>> in unconditionally. I personally don't see any problems with
>> this change.
> 
> 
> on a server where are allowed to run commands, but we don't want them to
> know more than they should, I am not sure one wants them to see the
> rules. call it security by obscurity if you like, but some people may
> want this. I guess this is what Jozef meant by compatibility (is it
> "least surprise"?).


Well, yes, the main question is whether this causes privacy issues.
"Security by obscurity" is a pretty poor argument, does anyone have
a well founded reason for not allowing users to see the rules and
counters?

Re: [RFC] Allowing non-root to get iptables info?

[Phil Oester]

On Wed, Feb 27, 2008 at 03:51:20PM +0100, Patrick McHardy wrote:
> Well, yes, the main question is whether this causes privacy issues.
> "Security by obscurity" is a pretty poor argument, does anyone have
> a well founded reason for not allowing users to see the rules and
> counters?

I really don't think this is a good idea.  We allow non-root users
on some of our firewalls, and I don't want them to see the ruleset.
Also, it helps miscreants to better pick their targets, if they
know in advance which ports are opened.

If making this change, *please* consider making it configurable,
with the default being NO access.

Phil

Re: [RFC] Allowing non-root to get iptables info?

[Patrick McHardy]

Phil Oester wrote:
> On Wed, Feb 27, 2008 at 03:51:20PM +0100, Patrick McHardy wrote:
>> Well, yes, the main question is whether this causes privacy issues.
>> "Security by obscurity" is a pretty poor argument, does anyone have
>> a well founded reason for not allowing users to see the rules and
>> counters?
> 
> I really don't think this is a good idea.  We allow non-root users
> on some of our firewalls, and I don't want them to see the ruleset.
> Also, it helps miscreants to better pick their targets, if they
> know in advance which ports are opened.


They could also find out about this simply by probing ports ...

> If making this change, *please* consider making it configurable,
> with the default being NO access.


No, in that case I prefer to keep it restricted to root
unconditionally. Using sudo to get the rules is no big
deal I guess.

Re: [RFC] Allowing non-root to get iptables info?

[Phil Oester]

On Wed, Feb 27, 2008 at 04:34:38PM +0100, Patrick McHardy wrote:
> Phil Oester wrote:
> >I really don't think this is a good idea.  We allow non-root users
> >on some of our firewalls, and I don't want them to see the ruleset.
> >Also, it helps miscreants to better pick their targets, if they
> >know in advance which ports are opened.
> 
> 
> They could also find out about this simply by probing ports ...

And assuming a /16 with 65K ports, that would take a bit longer than
the few seconds it takes to dump the ruleset.  Why make it easier
than it has to be?

> >If making this change, *please* consider making it configurable,
> >with the default being NO access.
> 
> 
> No, in that case I prefer to keep it restricted to root
> unconditionally. Using sudo to get the rules is no big
> deal I guess.

Seconded.

Phil

Re: [RFC] Allowing non-root to get iptables info?

[Stephen Hemminger]

On Wed, 27 Feb 2008 07:43:20 -0800
Phil Oester <kernel@linuxace.com> wrote:

> On Wed, Feb 27, 2008 at 04:34:38PM +0100, Patrick McHardy wrote:
> > Phil Oester wrote:
> > >I really don't think this is a good idea.  We allow non-root users
> > >on some of our firewalls, and I don't want them to see the ruleset.
> > >Also, it helps miscreants to better pick their targets, if they
> > >know in advance which ports are opened.
> > 
> > 
> > They could also find out about this simply by probing ports ...
> 
> And assuming a /16 with 65K ports, that would take a bit longer than
> the few seconds it takes to dump the ruleset.  Why make it easier
> than it has to be?
> 
> > >If making this change, *please* consider making it configurable,
> > >with the default being NO access.
> > 
> > 
> > No, in that case I prefer to keep it restricted to root
> > unconditionally. Using sudo to get the rules is no big
> > deal I guess.
> 

Well in our case of router administration the risk of allowing an operator
sudo access to iptables is higher than the risk of exposing ports to wankers.
This is a special purpose distribution, so we will allow it, how about
a config option or sysctl?

Re: [RFC] Allowing non-root to get iptables info?

[Jan Engelhardt]

On Feb 27 2008 15:39, mouss wrote:
> on a server where are allowed to run commands, but we don't want them to know
> more than they should, I am not sure one wants them to see the rules. call it
> security by obscurity if you like, but some people may want this. I guess this
> is what Jozef meant by compatibility (is it "least surprise"?).

=>
>> > I'd be more happy with a module parameter and/or proc switch by which this
>> > new feature could be enabled.

So just `modprobe ip_tables ipfreely=0` on your systems
once that option has been added.

Re: [RFC] Allowing non-root to get iptables info?

[Patrick McHardy]

Stephen Hemminger wrote:
> On Wed, 27 Feb 2008 07:43:20 -0800
> Phil Oester <kernel@linuxace.com> wrote:
> 
>> On Wed, Feb 27, 2008 at 04:34:38PM +0100, Patrick McHardy wrote:
>>> Phil Oester wrote:
>>>> I really don't think this is a good idea.  We allow non-root users
>>>> on some of our firewalls, and I don't want them to see the ruleset.
>>>> Also, it helps miscreants to better pick their targets, if they
>>>> know in advance which ports are opened.
>>>
>>> They could also find out about this simply by probing ports ...
>> And assuming a /16 with 65K ports, that would take a bit longer than
>> the few seconds it takes to dump the ruleset.  Why make it easier
>> than it has to be?
>>
>>>> If making this change, *please* consider making it configurable,
>>>> with the default being NO access.
>>>
>>> No, in that case I prefer to keep it restricted to root
>>> unconditionally. Using sudo to get the rules is no big
>>> deal I guess.
> 
> Well in our case of router administration the risk of allowing an operator
> sudo access to iptables is higher than the risk of exposing ports to wankers.
> This is a special purpose distribution, so we will allow it, how about
> a config option or sysctl?


I don't like having things like this controlled through config
options or sysctls. I'd take a patch, but I'd prefer not to.

Re: [RFC] Allowing non-root to get iptables info?

[mouss]

Patrick McHardy wrote:
> Phil Oester wrote:
>> On Wed, Feb 27, 2008 at 03:51:20PM +0100, Patrick McHardy wrote:
>>> Well, yes, the main question is whether this causes privacy issues.
>>> "Security by obscurity" is a pretty poor argument, does anyone have
>>> a well founded reason for not allowing users to see the rules and
>>> counters?
>>
>> I really don't think this is a good idea.  We allow non-root users
>> on some of our firewalls, and I don't want them to see the ruleset.
>> Also, it helps miscreants to better pick their targets, if they
>> know in advance which ports are opened.
>
>
> They could also find out about this simply by probing ports ...

they could, but their IP may get blocked before that. if they know the 
rules, they will avoid being trapped. of course, the attack requires 
user collaboration, but why make it easier?

many people use "reactive" rules that blacklist an IP after N bad 
requests. if an attacker knows how many requests during what period of 
time he can do without being blacklisted, his task is easier. sure, a 
botnet owner doesn't care as he can use a distributed attack, but that's 
no reason to help silly kids.

or consider a case when a set of ports is forwarded to a set of hosts. 
why would a user need to know? it's none of his business. 

I would understand giving users information they need to do their job so 
that they don't bother admins or spend too much time in useless 
debugging. but this is different than giving access to _all_ 
informations to _all_ users. I said "security by obscurity", but it may 
also be considered as "minimum privilege" (or one tool in a "defense in 
depth" strategy)

>
>> If making this change, *please* consider making it configurable,
>> with the default being NO access.
>
>
> No, in that case I prefer to keep it restricted to root
> unconditionally. Using sudo to get the rules is no big
> deal I guess.
>

I agree. if it can be implemented in "user space", there is no reason to 
"pollute" netfilter. one can even think of a program that gives specific 
infos based on user/group rules.