Cagefs + host and ping ?
Forum
  1. Forums
  2. General
  3. General Discussion
  1. Richard Hordern
  2. Wednesday, 30 October 2013
  3.  Subscribe via email
Hello,

I there a security reason to not allow a user to use commands like :

/usr/bin/host
/bin/ping

?

These don't seem to be allowed by default in cagefs… and I'm wondering if there is a reason or if it's safe to allow them ?

Thanks
Rate this post:
  1. 30.10.2013 10:10:58
  2. # 1
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
ping has a suid bit, so has to be added as proxy command
host -- I don\'t remember the reason we didn\'t add it. I don\'t think it would be an issue.
  1. 30.10.2013 11:10:11
  2. # 2
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
Would I just add :

PING=/bin/ping

?

I'm not sure what the variable names (PING) are for…

Also similar question, should /usr/bin/id be a proxy command or not ?
  1. 30.10.2013 11:10:24
  2. # 3
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
Yes, that is basically it. After that execute:
cagefsctl --force-update

So it would actually create /bin/ping inside cagefs.


]# ls -l /usr/bin/id
-rwxr-xr-x. 1 root root 28104 May 23 07:00 /usr/bin/id


no suid bit... programs without suid bit don\'t need to be proxy commands.
Also, be careful with proxy. Proxy means: execute on real system. So, if you would add id command to proxy, hacker would be able to run dictionary attack:
id user1
id user2
id user3

to figure out which users exists.
  1. 30.10.2013 20:10:29
  2. # 4
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
Thank\'s !
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.