kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #16475
[Bug 1228368] Re: netfilter/iptables --uid-owner options work incorrect
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1228368
Title:
netfilter/iptables --uid-owner options work incorrect
Status in “linux” package in Ubuntu:
New
Bug description:
When using the iptables, enter the following rule (loaded via
iptables-restore script /etc/network/if-up.d/iptablesload):
-A domains-rules-out -p icmp -m owner --uid-owner pinguser -j ACCEPT
However, this rule does not work (packets are processed overall policy DROP).
If you change it to rule
-A domains-rules-out -p icmp -m owner --gid-owner pinguser -j ACCEPT
the rule works (possibly send a request to the ping program).
The pinguser is a user and is a group with uids 201 and 202.
From /etc/passwd
pinguser:x:201:202:pinguser,,,:/:/bin/false
From /etc/group
pinguser:x:202:
i.e. first rule not work (packet drop, but rule do ACCEPT target)
sudo -u pinguser ping yandex.ru
> operation not permitted
With the second rule (--gid-owner) packages normally go on the same
team
Result of command
iptables -S domains-rules-out
for --uid-owner
-N domains-rules-out
-A domains-rules-out -p icmp -m owner --uid-owner 201 -j ACCEPT
-A domains-rules-out -d 194.149.67.129/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 91.189.94.4/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 91.189.89.199/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 213.180.204.183/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A domains-rules-out -j RETURN
for --gid-owner
-N domains-rules-out
-A domains-rules-out -p icmp -m owner --gid-owner 202 -j ACCEPT
-A domains-rules-out -d 194.149.67.129/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 91.189.89.199/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 91.189.94.4/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 213.180.204.183/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A domains-rules-out -j RETURN
---------------
I think the rules are disclosed true (201 user number, 202 - the number of groups).
Apparently, iptables work is correct, but netfilter works incorrect.
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: linux-image-3.5.0-40-generic 3.5.0-40.62~precise1
ProcVersionSignature: Ubuntu 3.5.0-40.62~precise1-generic 3.5.7.20
Uname: Linux 3.5.0-40-generic i686
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.25.
AplayDevices:
**** List of PLAYBACK Hardware Devices ****
card 0: I82801AAICH [Intel 82801AA-ICH], device 0: Intel ICH [Intel 82801AA-ICH]
Subdevices: 1/1
Subdevice #0: subdevice #0
ApportVersion: 2.0.1-0ubuntu17.4
Architecture: i386
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: vin 1787 F.... pulseaudio
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found.
Card0.Amixer.info:
Card hw:0 'I82801AAICH'/'Intel 82801AA-ICH with STAC9700,83,84 at irq 21'
Mixer name : 'SigmaTel STAC9700,83,84'
Components : 'AC97a:83847600'
Controls : 34
Simple ctrls : 24
Date: Fri Sep 20 23:35:23 2013
InstallationMedia: Ubuntu 12.04.2 LTS "Precise Pangolin" - Release i386 (20130213)
IwConfig:
lo no wireless extensions.
eth0 no wireless extensions.
Lsusb:
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: innotek GmbH VirtualBox
MarkForUpload: True
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=ru_RU.UTF-8
SHELL=/bin/bash
ProcFB: 0 VESA VGA
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.5.0-40-generic root=UUID=d84bcd4e-fc49-4877-973e-9fc356921db6 ro quiet splash vt.handoff=7
RelatedPackageVersions:
linux-restricted-modules-3.5.0-40-generic N/A
linux-backports-modules-3.5.0-40-generic N/A
linux-firmware 1.79.6
RfKill:
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 12/01/2006
dmi.bios.vendor: innotek GmbH
dmi.bios.version: VirtualBox
dmi.board.name: VirtualBox
dmi.board.vendor: Oracle Corporation
dmi.board.version: 1.2
dmi.chassis.type: 1
dmi.chassis.vendor: Oracle Corporation
dmi.modalias: dmi:bvninnotekGmbH:bvrVirtualBox:bd12/01/2006:svninnotekGmbH:pnVirtualBox:pvr1.2:rvnOracleCorporation:rnVirtualBox:rvr1.2:cvnOracleCorporation:ct1:cvr:
dmi.product.name: VirtualBox
dmi.product.version: 1.2
dmi.sys.vendor: innotek GmbH
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1228368/+subscriptions