[Bug 754611] New: Netlink and raw packet inconsistencies or obsolete man pages?
https://bugzilla.novell.com/show_bug.cgi?id=754611 https://bugzilla.novell.com/show_bug.cgi?id=754611#c0 Summary: Netlink and raw packet inconsistencies or obsolete man pages? Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: All OS/Version: openSUSE 12.1 Status: NEW Severity: Normal Priority: P5 - None Component: Kernel AssignedTo: kernel-maintainers@forge.provo.novell.com ReportedBy: nt1277@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 man 7 netlink states that: "Only processes with an effective UID of 0 or the CAP_NET_ADMIN capability may send or listen to a netlink multicast group." In addition man 7 capabilities states that: "CAP_NET_RAW Use RAW and PACKET sockets." Despite these statements I was able to run the followinng code without getting any access denied type error messages: ################################ #include <sys/types.h> #include <sys/socket.h> #include <linux/netlink.h> #include <unistd.h> int filedes; struct sockaddr_nl nladdr={AF_NETLINK,0,0,0}; int main(int argc, char *argv[], char *envp[]) { nladdr.nl_pid=getpid(); filedes=socket(AF_NETLINK, SOCK_RAW, NETLINK_KOBJECT_UEVENT); bind(filedes,(struct sockaddr*)&nladdr,sizeof(nladdr)); close(filedes); } ################################ Sorry for not testing if I can actually send or receive raw multicast netlink packages, this is because I'm not a programmer actually. The code above could be run without any problem on openSUSE 12.1's tandard kernel and on a vanilla 2.6.32.49. Is it a bug or is it intentional (and then man pages are outdated)? In the latter case what protects the udev subsystem for example? Reproducible: Always Steps to Reproduce: 1. Compile the code above 2. Strace it and see what return values you are getting Actual Results: The kernel lets ordinary users create a raw netlink socket with multipath bitmaps enabled. Expected Results: According to the mentioned manpages it probably should prohibit it instead. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754611 https://bugzilla.novell.com/show_bug.cgi?id=754611#c1 Jeff Mahoney <jeffm@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jeffm@suse.com Component|Kernel |Documentation AssignedTo|kernel-maintainers@forge.pr |pgajdos@suse.com |ovo.novell.com | QAContact|qa-bugs@suse.de |ke@suse.com --- Comment #1 from Jeff Mahoney <jeffm@suse.com> 2012-03-29 11:58:35 EDT --- In general those permission rules are true. However, netlink protocols have the ability to allow non-root senders and recievers even for those types of packets. It's up to the subsystem to allow them. Currently, kobject_uevent, selinux, rtnetlink, and genetlink all allow non-root receivers. None of them allow non-root senders. Petr, can you add the following paragraph below the last paragraph in the "Address Groups" section? It should probably go upstream as well. Some Linux kernel subsystems may additionally allow other users to send and/or receive messages. As of Linux 3.0, the NETLINK_KOBJECT_UEVENT, NETLINK_GENERIC, NETLINK_ROUTE, and NETLINK_SELINUX groups allow other users to receive messages. No groups allow other users to send messages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754611 https://bugzilla.novell.com/show_bug.cgi?id=754611#c2 --- Comment #2 from Tamás Németh <nt1277@gmail.com> 2012-03-29 20:08:00 UTC --- (In reply to comment #1)
Petr, can you add the following paragraph below the last paragraph in the "Address Groups" section? It should probably go upstream as well.
Some Linux kernel subsystems may additionally allow other users to send and/or receive messages. As of Linux 3.0, the NETLINK_KOBJECT_UEVENT, NETLINK_GENERIC, NETLINK_ROUTE, and NETLINK_SELINUX groups allow other users to receive messages. No groups allow other users to send messages.
I assume this is to be written into cap 7 netlink isn't it? But what about man 7 capabilities which suggests me that CAP_NET_RAW is necessary for creating a raw socket? Netlink seems to break that rule, too. BTW, thank you for looking at this bugreport! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754611 https://bugzilla.novell.com/show_bug.cgi?id=754611#c3 --- Comment #3 from Jeff Mahoney <jeffm@suse.com> 2012-03-29 16:10:44 EDT --- Yes, 7 netlink. The capabilities man page could probably use some general fleshing out but it's probably not just CAP_NET_RAW that has exceptions in there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754611 https://bugzilla.novell.com/show_bug.cgi?id=754611#c4 Petr Gajdos <pgajdos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #4 from Petr Gajdos <pgajdos@suse.com> 2012-04-06 07:23:25 UTC --- Fixed, thanks for reporting. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=754611 https://bugzilla.novell.com/show_bug.cgi?id=754611#c5 --- Comment #5 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-04-06 10:00:08 CEST --- This is an autogenerated message for OBS integration: This bug (754611) was mentioned in https://build.opensuse.org/request/show/112765 Factory / man-pages -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com