Announcement

Collapse
No announcement yet.

Cagefs + host and ping ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cagefs + host and ping ?

    Hello,

    I there a security reason to not allow a user to use commands like :

    /usr/bin/host
    /bin/ping

    ?

    These dont seem to be allowed by default in cagefs… and Im wondering if there is a reason or if its safe to allow them ?

    Thanks

  • #2
    ping has a suid bit, so has to be added as proxy command
    host -- I don remember the reason we didn add it. I don think it would be an issue.

    Comment


    • #3
      Would I just add :

      PING=/bin/ping

      ?

      Im not sure what the variable names (PING) are for…

      Also similar question, should /usr/bin/id be a proxy command or not ?

      Comment


      • #4
        Yes, that is basically it. After that execute:
        cagefsctl --force-update

        So it would actually create /bin/ping inside cagefs.

        ]# ls -l /usr/bin/id
        -rwxr-xr-x. 1 root root 28104 May 23 07:00 /usr/bin/id

        no suid bit... programs without suid bit don need to be proxy commands.
        Also, be careful with proxy. Proxy means: execute on real system. So, if you would add id command to proxy, hacker would be able to run dictionary attack:
        id user1
        id user2
        id user3

        to figure out which users exists.

        Comment


        • #5
          Thanks !

          Comment

          Working...
          X