← Back to team overview

kernel-packages team mailing list archive

[Bug 1228368] Re: netfilter/iptables --uid-owner options work incorrect

 

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1228368

Title:
  netfilter/iptables --uid-owner options work incorrect

Status in “linux” package in Ubuntu:
  New

Bug description:
  When using the iptables, enter the following rule (loaded via
  iptables-restore script /etc/network/if-up.d/iptablesload):

  -A domains-rules-out -p icmp -m owner --uid-owner pinguser -j ACCEPT

  However, this rule does not work (packets are processed overall policy DROP).
  If you change it to rule

  -A domains-rules-out -p icmp -m owner --gid-owner pinguser -j ACCEPT

  the rule works (possibly send a request to the ping program).

  
  The pinguser is a user and is a group with uids 201 and 202.
  From /etc/passwd
  pinguser:x:201:202:pinguser,,,:/:/bin/false

  From /etc/group
  pinguser:x:202:

  i.e. first rule not work (packet drop, but rule do ACCEPT target)
  sudo -u pinguser ping yandex.ru
  > operation not permitted

  With the second rule (--gid-owner) packages normally go on the same
  team


  Result of command
  iptables -S domains-rules-out

  for --uid-owner

  -N domains-rules-out
  -A domains-rules-out -p icmp -m owner --uid-owner 201 -j ACCEPT
  -A domains-rules-out -d 194.149.67.129/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
  -A domains-rules-out -d 91.189.94.4/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
  -A domains-rules-out -d 91.189.89.199/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
  -A domains-rules-out -d 213.180.204.183/32 -p tcp -m tcp --dport 443 -j ACCEPT
  -A domains-rules-out -j RETURN

  for --gid-owner

  -N domains-rules-out
  -A domains-rules-out -p icmp -m owner --gid-owner 202 -j ACCEPT
  -A domains-rules-out -d 194.149.67.129/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
  -A domains-rules-out -d 91.189.89.199/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
  -A domains-rules-out -d 91.189.94.4/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
  -A domains-rules-out -d 213.180.204.183/32 -p tcp -m tcp --dport 443 -j ACCEPT
  -A domains-rules-out -j RETURN

  ---------------

  I think the rules are disclosed true (201 user number, 202 - the number of groups).  	
  Apparently, iptables work is correct, but netfilter works incorrect.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: linux-image-3.5.0-40-generic 3.5.0-40.62~precise1
  ProcVersionSignature: Ubuntu 3.5.0-40.62~precise1-generic 3.5.7.20
  Uname: Linux 3.5.0-40-generic i686
  AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.25.
  AplayDevices:
   **** List of PLAYBACK Hardware Devices ****
   card 0: I82801AAICH [Intel 82801AA-ICH], device 0: Intel ICH [Intel 82801AA-ICH]
     Subdevices: 1/1
     Subdevice #0: subdevice #0
  ApportVersion: 2.0.1-0ubuntu17.4
  Architecture: i386
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  vin        1787 F.... pulseaudio
  CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found.
  Card0.Amixer.info:
   Card hw:0 'I82801AAICH'/'Intel 82801AA-ICH with STAC9700,83,84 at irq 21'
     Mixer name	: 'SigmaTel STAC9700,83,84'
     Components	: 'AC97a:83847600'
     Controls      : 34
     Simple ctrls  : 24
  Date: Fri Sep 20 23:35:23 2013
  InstallationMedia: Ubuntu 12.04.2 LTS "Precise Pangolin" - Release i386 (20130213)
  IwConfig:
   lo        no wireless extensions.
   
   eth0      no wireless extensions.
  Lsusb:
   Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
   Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
   Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
  MachineType: innotek GmbH VirtualBox
  MarkForUpload: True
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   LANG=ru_RU.UTF-8
   SHELL=/bin/bash
  ProcFB: 0 VESA VGA
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.5.0-40-generic root=UUID=d84bcd4e-fc49-4877-973e-9fc356921db6 ro quiet splash vt.handoff=7
  RelatedPackageVersions:
   linux-restricted-modules-3.5.0-40-generic N/A
   linux-backports-modules-3.5.0-40-generic  N/A
   linux-firmware                            1.79.6
  RfKill:
   
  SourcePackage: linux
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 12/01/2006
  dmi.bios.vendor: innotek GmbH
  dmi.bios.version: VirtualBox
  dmi.board.name: VirtualBox
  dmi.board.vendor: Oracle Corporation
  dmi.board.version: 1.2
  dmi.chassis.type: 1
  dmi.chassis.vendor: Oracle Corporation
  dmi.modalias: dmi:bvninnotekGmbH:bvrVirtualBox:bd12/01/2006:svninnotekGmbH:pnVirtualBox:pvr1.2:rvnOracleCorporation:rnVirtualBox:rvr1.2:cvnOracleCorporation:ct1:cvr:
  dmi.product.name: VirtualBox
  dmi.product.version: 1.2
  dmi.sys.vendor: innotek GmbH

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1228368/+subscriptions