Re: Secure usage of netfilter hooks

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Alan Cox: "Re: [PATCH] 2.5.59 morse code panics"
• Previous message: Serguei Miridonov: "Re: any brand recomendation for a linux laptop ?"

--=_courier-11414-1043948901-0001-2
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2003-01-30 at 17:33, Abhishek Singh wrote:
> Is it possible for a netfilter hook registered during module insertion=20
> time to be removed by a userspace application (such as iptables) without=20
> the insertion of a new module?=20

Yeah, remove all rules using it and rmmod the module.

> What I am trying to do is implement a hook for secure packet processing=20
> using netfilter. If however an attacker can remove this hook without=20
> inserting a new module or compromising the kernel in some way then the=20
> security level of this hook is compromised.=20

You gotta be root to manipulate iptables. If a user could manipulate ANY
iptables rules security would already be compromised because any user
could fuck with firewall rules.

HTH

--=20
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

--=_courier-11414-1043948901-0001-2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQA+OWVHkbV2aYZGvn0RAm0+AJ0b/3IEyAt0ZgsZS2s/xtbcrVxfcgCeMDEm
5RXQdXLDdYydHZpY+yLza58=
=4N2U
-----END PGP SIGNATURE-----

--=_courier-11414-1043948901-0001-2--

• Next message: Alan Cox: "Re: [PATCH] 2.5.59 morse code panics"
• Previous message: Serguei Miridonov: "Re: any brand recomendation for a linux laptop ?"