In message <20030502132458.5B63B53E7F@thoreau.thistledown.com.au>, Simon Burge 
writes:
>[ Added tech-security to list
>  Background: allowing the TCPCTL_IDENT sysctl to work for any user.
>  This sysctl allows you to find the owner of any TCP connection if
>  you know the addresses and ports (easily obtainable from netstat)
>  and currently only works for root (more through mis-design than
>  policy (IMHO).]
>
>Matthias Scheler wrote:
>
>> On Fri, May 02, 2003 at 10:53:20PM +1000, Simon Burge wrote:
>>
>> > The following patch changes the sysctl to using only the mib for the
>> > query and works with "nobody:kmem" in /etc/inetd.conf.
>> 
>> Does it really need group "kmem"? I don't see anything in this patch
>> which enforces it.
>
>Indeed no - I've checked that "nobody" and "nobody:nobody" works.  (Does
>the former imply that later as "nobody" is the group of the "nobody"
>user).
>
>> And that might open another security problem
>> because any user can query the owner of any TCP connection now.
>
>I don't have any idea of security implications of this.  Anyone know
>better?

At the least, there's a privacy issue: on a multi-user machine, who is 
connecting to www.ReallyNastyPictures.com?


		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)