| From stable-bounces@linux.kernel.org Thu Nov 16 21:40:01 2006 |
| From: Patrick McHardy <kaber@trash.net> |
| To: stable@kernel.org |
| Message-Id: <20061117053541.10231.82376.sendpatchset@localhost.localdomain> |
| Date: Fri, 17 Nov 2006 06:35:41 +0100 (MET) |
| Cc: Patrick McHardy <kaber@trash.net>, davem@davemloft.net |
| Subject: NETFILTER: Missing check for CAP_NET_ADMIN in iptables compat layer |
| |
| The 32bit compatibility layer has no CAP_NET_ADMIN check in |
| compat_do_ipt_get_ctl, which for example allows to list the current |
| iptables rules even without having that capability (the non-compat |
| version requires it). Other capabilities might be required to exploit |
| the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user |
| can't exploit it, but a setup actually using the posix capability system |
| might very well hit such a constellation of granted capabilities. |
| |
| Signed-off-by: Björn Steinbrink <B.Steinbrink@gmx.de> |
| Signed-off-by: Patrick McHardy <kaber@trash.net> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| |
| --- |
| commit 4410392a8258fd972fc08a336278b14c82b2774f |
| tree 567261d003b2a8fb08c2d89d0d708dd06f357f49 |
| parent b4d854665eafe32b48e0eecadb91a73f6eea0055 |
| author Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:07 +0100 |
| committer Patrick McHardy <kaber@trash.net> Fri, 17 Nov 2006 06:22:07 +0100 |
| |
| net/ipv4/netfilter/ip_tables.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- linux-2.6.18.4.orig/net/ipv4/netfilter/ip_tables.c |
| +++ linux-2.6.18.4/net/ipv4/netfilter/ip_tables.c |
| @@ -1994,6 +1994,9 @@ compat_do_ipt_get_ctl(struct sock *sk, i |
| { |
| int ret; |
| |
| + if (!capable(CAP_NET_ADMIN)) |
| + return -EPERM; |
| + |
| switch (cmd) { |
| case IPT_SO_GET_INFO: |
| ret = get_info(user, len, 1); |