> non-root users can do "ipfw list block". shouldn't that return -EPERM ?
> i really don't like the users look at my firewall-tables o:-)
For what it is worth, I wonder why you have users on your firewall in
the first place. It is generally not a good idea to have user accounts
on the firewall.
However, in answer to your request, here is a patch to the system
which will prevent all but the 'root' user access to the rules.
The check for suser is probably not needed. However, including it
makes it an absolute certanty that the euid is root at the time that
the read occurs. You probably don't need any more than to change the
permissions on the inodes. That should be enough to prevent the inode
from being opened and read.
You should not permit the ipfw or ipfwadm program from being secured
'suid root' as that would be irresponsible. If you permit user
accounts on the firewall, again this is not a good idea, then you
can't prevent the user from taking the source and building their own
copy. In short, don't protect the ipfw program. Protect the data.
These patches are for the 1.3.62 kernel.
--- linux/net/ipv4/ip_fw.c.orig Thu Feb 15 05:48:19 1996
+++ linux/net/ipv4/ip_fw.c Thu Feb 15 06:01:15 1996
@@ -1502,34 +1502,37 @@
reset);
}
#endif
#ifdef CONFIG_IP_FIREWALL
static int ip_fw_in_procinfo(char *buffer, char **start, off_t offset,
int length, int reset)
{
+ if (!suser()) return -EPERM;
return ip_chain_procinfo(IP_FW_IN, buffer,start,offset,length,
reset);
}
static int ip_fw_out_procinfo(char *buffer, char **start, off_t offset,
int length, int reset)
{
+ if (!suser()) return -EPERM;
return ip_chain_procinfo(IP_FW_OUT, buffer,start,offset,length,
reset);
}
static int ip_fw_fwd_procinfo(char *buffer, char **start, off_t offset,
int length, int reset)
{
+ if (!suser()) return -EPERM;
return ip_chain_procinfo(IP_FW_FWD, buffer,start,offset,length,
reset);
}
#endif
#ifdef CONFIG_IP_MASQUERADE
static int ip_msqhst_procinfo(char *buffer, char **start, off_t offset,
int length, int unused)
{
@@ -1619,36 +1622,36 @@
ip_acct_procinfo
});
#endif
#ifdef CONFIG_IP_FIREWALL
if(register_firewall(PF_INET,&ipfw_ops)<0)
panic("Unable to register IP firewall.\n");
proc_net_register(&(struct proc_dir_entry) {
PROC_NET_IPFWIN, 8, "ip_input",
- S_IFREG | S_IRUGO | S_IWUSR, 1, 0, 0,
+ S_IFREG | S_IRUSR | S_IWUSR, 1, 0, 0,
0, &proc_net_inode_operations,
ip_fw_in_procinfo
});
proc_net_register(&(struct proc_dir_entry) {
PROC_NET_IPFWOUT, 9, "ip_output",
- S_IFREG | S_IRUGO | S_IWUSR, 1, 0, 0,
+ S_IFREG | S_IRUSR | S_IWUSR, 1, 0, 0,
0, &proc_net_inode_operations,
ip_fw_out_procinfo
});
proc_net_register(&(struct proc_dir_entry) {
PROC_NET_IPFWFWD, 10, "ip_forward",
- S_IFREG | S_IRUGO | S_IWUSR, 1, 0, 0,
+ S_IFREG | S_IRUSR | S_IWUSR, 1, 0, 0,
0, &proc_net_inode_operations,
ip_fw_fwd_procinfo
});
#endif
#ifdef CONFIG_IP_MASQUERADE
proc_net_register(&(struct proc_dir_entry) {
PROC_NET_IPMSQHST, 13, "ip_masquerade",
- S_IFREG | S_IRUGO, 1, 0, 0,
+ S_IFREG | S_IRUSR, 1, 0, 0,
0, &proc_net_inode_operations,
ip_msqhst_procinfo
});
#endif
}
-- Al Longyear longyear@netcom.com longyear@sii.com Finger longyear@netcom.com for PGP public key.