Re: [PATCH 08/19] tcp: authopt: Disable via sysctl by default

From: Leonard Crestez
Date: Sat Sep 25 2021 - 10:14:59 EST

Next message: Masami Hiramatsu: "Re: [RFC PATCH] tracing/kprobe: Support $$args for function entry"
Previous message: Greg KH: "[GIT PULL] Char/Misc driver fixes for 5.15-rc3"
In reply to: David Ahern: "Re: [PATCH 08/19] tcp: authopt: Disable via sysctl by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/25/21 4:57 AM, David Ahern wrote:

On 9/21/21 10:14 AM, Leonard Crestez wrote:

This is mainly intended to protect against local privilege escalations
through a rarely used feature so it is deliberately not namespaced.

Enforcement is only at the setsockopt level, this should be enough to
ensure that the tcp_authopt_needed static key never turns on.

No effort is made to handle disabling when the feature is already in
use.

MD5 does not require a sysctl to use it, so why should this auth mechanism?

I think it would make sense for both these features to be off by default. They interact with TCP in complex ways and are available to all unprivileged users but their real usecases are actually very limited.

Having to flip a few sysctls is very reasonable in the context of setting up a router.

My concern is that this feature ends up in distro kernels and somebody finds a way to use it for privilege escalation.

It also seems reasonable for "experimental" features to be off by default.

--
Regards,
Leonard

Next message: Masami Hiramatsu: "Re: [RFC PATCH] tracing/kprobe: Support $$args for function entry"
Previous message: Greg KH: "[GIT PULL] Char/Misc driver fixes for 5.15-rc3"
In reply to: David Ahern: "Re: [PATCH 08/19] tcp: authopt: Disable via sysctl by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]