iptables match uid-owner only works for root?
buck
by Kasper Dupont in a posting to this NG on 15Jul02.
Ian Jones:
>> #!/bin/sh
>> iptables -F
>> iptables -F -t nat
>> iptables -F -t mangle
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD DROP
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
## INSERTED BY BUCK:
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
>> iptables -A OUTPUT -m state --state NEW -m owner --uid-owner ian -j
ACCEPT
Kasper Dupont:
>Of course the username should insert his
>own username, and BTW Wouldn't you need:
>-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
>somewhere?
I put Kasper's OUTPUT line at ##INSERT and changed "ian" to "buck",
but the only thing that makes the above script work is to change
"buck" to "root"!!?? Then, logged in as either buck or root, I can
surf. Otherwise everything is DROPped.
Since Ian and Kasper are pretty savvy men, I have to believe that
there is some serious problem in my setup. Anyone have suggestions of
things that I need to check / fix? If it matters, the computer runs
Slackware 9.0 with all (appropriate) updates from the patches/packages
directory installed.
buck
Horst Knobloch
[...]
>>> iptables -A OUTPUT -m state --state NEW -m owner --uid-owner ian -j
> ACCEPT
> I put Kasper's OUTPUT line at ##INSERT and changed "ian" to "buck",
> but the only thing that makes the above script work is to change
> "buck" to "root"!!?? Then, logged in as either buck or root, I can
> surf. Otherwise everything is DROPped.
What happens if you enter the above rule manually as root?
I get an "iptables: Invalid argument" with my current RH
kernel 2.4.20-13.8 and all RH updates applied. However the
command works with the previous kernel 2.4.18-26.8.0.
I run iptables v1.2.6a.
> Since Ian and Kasper are pretty savvy men, I have to believe that
> there is some serious problem in my setup. Anyone have suggestions of
> things that I need to check / fix? If it matters, the computer runs
> Slackware 9.0 with all (appropriate) updates from the patches/packages
> directory installed.
See above, may be your owner match is also somehow
broken. Look for another kernel and check for an
iptables update if there is any. I haven't tried the
iptables update myself since at the moment I don't need
the owner match. So it's up to you to check. ;-)
Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn
buck
wrote:
>On Sunday 01 June 2003 20:12 , buck wrote:
>>>> iptables -A OUTPUT -m state --state NEW \
>>>> -m owner --uid-owner buck -j ACCEPT
>What happens if you enter the above rule manually as root?
>
>I get an "iptables: Invalid argument" with my current RH
>kernel 2.4.20-13.8 and all RH updates applied. However the
>command works with the previous kernel 2.4.18-26.8.0.
>I run iptables v1.2.6a.
It loads the module ipt_owner. iptables -L -n shows what I expect:
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW OWNER UID match 1005
>See above, may be your owner match is also somehow
>broken. Look for another kernel and check for an
>iptables update if there is any.
kernel 2.4.20 (unmodified)
iptables v1.2.7a
Logged in as buck,
id
returns:
uid=1005(buck) gid=100(users) groups=100(users)
I get your point, but since the match does work for "root", I'm 99%
sure it is not broken for "buck". I think this has something to do
with who runs/owns the program. When "buck" is matched and types
`ping 207.171.0.10' that fails but when "root" is matched and types
that same ping command, it works - and it also then works for buck,
which it should not! So I conclude that ping (and ftp and lynx Etc)
somehow are run by buck as root, such that buck never matches anything
in the packet.
That's why I think this is a security issue, not an iptables issue.
>I haven't tried the
>iptables update myself since at the moment I don't need
>the owner match. So it's up to you to check. ;-)
>
>
>Ciao, Horst
Thanks for the input.
buck
Kasper Dupont
>
> When "buck" is matched and types
> `ping 207.171.0.10'
ping is suid root, which means that no matter who types
ping, the owner module will see root as sender of the
ICMP echo-request packet.
--
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:aaa...@daimi.au.dk
for(_=52;_;(_%5)||(_/=5),(_%5)&&(_-=2))putchar(_);
Horst Knobloch
> On Tue, 03 Jun 2003 01:13:05 +0200, Horst Knobloch <hors...@gmx.de>
> wrote:
>
>>On Sunday 01 June 2003 20:12 , buck wrote:
[manually set owner rule]
>>I get an "iptables: Invalid argument" with my current RH
>>kernel 2.4.20-13.8 and all RH updates applied. However the
>>command works with the previous kernel 2.4.18-26.8.0.
>>I run iptables v1.2.6a.
>
> It loads the module ipt_owner. iptables -L -n shows what I expect:
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW OWNER UID match 1005
Ok, in my case the rule wasn't even loaded into the kernel.
[...]
> kernel 2.4.20 (unmodified)
> iptables v1.2.7a
Hm, may be I manually update iptables to this newer version
and check whether this helps in my case.
> Logged in as buck,
> id
> returns:
> uid=1005(buck) gid=100(users) groups=100(users)
>
> I get your point, but since the match does work for "root", I'm 99%
> sure it is not broken for "buck". I think this has something to do
> with who runs/owns the program. When "buck" is matched and types
> `ping 207.171.0.10' that fails but when "root" is matched and types
> that same ping command, it works - and it also then works for buck,
> which it should not! So I conclude that ping (and ftp and lynx Etc)
> somehow are run by buck as root, such that buck never matches anything
> in the packet.
Some commands like ping and traceroute have the setuid bit set,
that means those cmds are run as root. However I would be
surprised if your ftp client and lynx has also the setuid bit
set. So you check those programs again.