Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752797Ab1EELcz (ORCPT ); Thu, 5 May 2011 07:32:55 -0400 Received: from mail-bw0-f46.google.com ([209.85.214.46]:39138 "EHLO mail-bw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751625Ab1EELcx (ORCPT ); Thu, 5 May 2011 07:32:53 -0400 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=qQr5NZqgf7ClGw5s2EHu96l3+zMX4IWuQVwqXZtYswJeSYbUKyH4FFLuORncYX69aL XOgpsplwSDSMFXMx9YSH125Q+Ujr0DWToDUOdLzljVG+QTixbb4/64xnS9YMcSyg76Yi C8IhBc+7oKeWWYPIO3zWN0ZM2RnAAMZWS8xpQ= Date: Thu, 5 May 2011 15:32:45 +0400 From: Vasiliy Kulikov To: David Miller Cc: solar@openwall.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, peak@argo.troja.mff.cuni.cz, kees.cook@canonical.com, dan.j.rosenberg@gmail.com, eugene@redhat.com, nelhage@ksplice.com, kuznet@ms2.inr.ac.ru, pekkas@netcore.fi, jmorris@namei.org, yoshfuji@linux-ipv6.org, kaber@trash.net Subject: Re: [PATCH] net: ipv4: add IPPROTO_ICMP socket kind Message-ID: <20110505113245.GA8959@albatros> References: <20110412.142534.183049889.davem@davemloft.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110412.142534.183049889.davem@davemloft.net> User-Agent: Mutt/1.5.20 (2009-06-14) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1799 Lines: 47 On Tue, Apr 12, 2011 at 14:25 -0700, David Miller wrote: > Third, either we trust this code or we do not. If we are OK with a > user application spamming whatever they wish out of a datagram UDP > socket, they can do no more harm with this thing unless there are > bugs. It is true in theory, but wrong in practice. I have a cheap router which can be made almost fully hang up with simple ping flood. And I almost sure many not very widespread implementations of IPv6 would react not very clever way on non-echo ICMPv6 flood (I'd want to make more than ICMPv6 Echo Request/Reply types available to nonroot). > The group range thing I also consider hackish. Why hackish? We'd want to leave group range sysctl. With this thing you may restrict icmp according to different policies: 1) 0 4294967295 - We trust all users in the system. 2) 0 0 - We don't trust users, root only. 3) 101 4294967295 - We trust real users, but don't trust daemons. 4) 109 109 - We trust a signle group. Either /sbin/ping is g+s and owned by this group (like in Owl) or it is a group of "network admins" who is allowed to flood. 5) 200 300 - We trust users in this range. Little sense because of (4), but possible. Minor note about sgid'ed /sbin/ping: in case of a vulnerability in this kernel code one has to find additional bug in ping binary to exploit this vulnerability (unless it is somehow triggerable with ping arguments overflow or remotely). Thank you, -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/