summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorBjörn Steinbrink <B.Steinbrink@gmx.de>2006-10-20 00:21:10 -0700
committerDavid S. Miller <davem@davemloft.net>2006-10-20 00:21:10 -0700
commit82fac0542e11c0d3316cc8fdafd2a990d2aab692 (patch)
treef9122a00efc66f3035f76d07f9a6dd66c1558b20 /net
parent206daaf77f68ce0f103164e6406336068c87a4a5 (diff)
downloadlwn-82fac0542e11c0d3316cc8fdafd2a990d2aab692.tar.gz
lwn-82fac0542e11c0d3316cc8fdafd2a990d2aab692.zip
[NETFILTER]: Missing check for CAP_NET_ADMIN in iptables compat layer
The 32bit compatibility layer has no CAP_NET_ADMIN check in compat_do_ipt_get_ctl, which for example allows to list the current iptables rules even without having that capability (the non-compat version requires it). Other capabilities might be required to exploit the bug (eg. CAP_NET_RAW to get the nfnetlink socket?), so a plain user can't exploit it, but a setup actually using the posix capability system might very well hit such a constellation of granted capabilities. Signed-off-by: Björn Steinbrink <B.Steinbrink@gmx.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/ip_tables.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 78a44b01c035..4b90927619b8 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1932,6 +1932,9 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
{
int ret;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
switch (cmd) {
case IPT_SO_GET_INFO:
ret = get_info(user, len, 1);