Subject: Re: TCPCTL_IDENT (Was: CVS commit: src/etc)
To: Simon Burge <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 05/02/2003 09:30:55
In message <20030502132458.5B63B53E7F@thoreau.thistledown.com.au>, Simon Burge
>[ Added tech-security to list
> Background: allowing the TCPCTL_IDENT sysctl to work for any user.
> This sysctl allows you to find the owner of any TCP connection if
> you know the addresses and ports (easily obtainable from netstat)
> and currently only works for root (more through mis-design than
> policy (IMHO).]
>Matthias Scheler wrote:
>> On Fri, May 02, 2003 at 10:53:20PM +1000, Simon Burge wrote:
>> > The following patch changes the sysctl to using only the mib for the
>> > query and works with "nobody:kmem" in /etc/inetd.conf.
>> Does it really need group "kmem"? I don't see anything in this patch
>> which enforces it.
>Indeed no - I've checked that "nobody" and "nobody:nobody" works. (Does
>the former imply that later as "nobody" is the group of the "nobody"
>> And that might open another security problem
>> because any user can query the owner of any TCP connection now.
>I don't have any idea of security implications of this. Anyone know
At the least, there's a privacy issue: on a multi-user machine, who is
connecting to www.ReallyNastyPictures.com?
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)