Subject: Re: TCPCTL_IDENT (Was: CVS commit: src/etc)
To: Simon Burge <>
From: Steven M. Bellovin <>
List: tech-kern
Date: 05/02/2003 09:30:55
In message <>, Simon Burge 
>[ Added tech-security to list
>  Background: allowing the TCPCTL_IDENT sysctl to work for any user.
>  This sysctl allows you to find the owner of any TCP connection if
>  you know the addresses and ports (easily obtainable from netstat)
>  and currently only works for root (more through mis-design than
>  policy (IMHO).]
>Matthias Scheler wrote:
>> On Fri, May 02, 2003 at 10:53:20PM +1000, Simon Burge wrote:
>> > The following patch changes the sysctl to using only the mib for the
>> > query and works with "nobody:kmem" in /etc/inetd.conf.
>> Does it really need group "kmem"? I don't see anything in this patch
>> which enforces it.
>Indeed no - I've checked that "nobody" and "nobody:nobody" works.  (Does
>the former imply that later as "nobody" is the group of the "nobody"
>> And that might open another security problem
>> because any user can query the owner of any TCP connection now.
>I don't have any idea of security implications of this.  Anyone know

At the least, there's a privacy issue: on a multi-user machine, who is 
connecting to

		--Steve Bellovin, (me) (2nd edition of "Firewalls" book)