Re: [PATCH] network device statistic hooks

From: Serge E. Hallyn (hallyn@private)
Date: Wed Aug 25 2004 - 12:06:15 PDT


Yes, this is a convenience/functionality issue rather than a security issue.
If only two of 7 active interfaces are valid for you to use, then should
an ioctl(SIOCGIFCONF) show the other 5 interfaces?

In the worst case, jail (/vserver) could use /proc/$$/attr/current as a
substitute for ifconfig -a output, but this seems likely to break a great
number of scripts for any sysadmin having to work in a jail or vserver.

thanks,
-serge

> I think he meant that he didn't think it was going to fly, totally regardless of
> the performance issue, unless there was a clear-cut security advantage to being
> able to hide the existence of a network interface.
> 
> And actually, I'm having a hard time seeing what the win is either, given that
> there's a *lot* of information leakage issues.  For instance, it's probably possible
> to intuit the IP address bound to the interface (which is probably more interesting
> than the mere existence of the interface in most cases) by looking at 'netstat -a'
> and/or 'netstat -r'.  Similarly, the interface/IP may be mentioned elsewhere
> (think "Received:" headers on an e-mail).....
> 
> About the only case I can think of when the *interface* is of any real interest is
> if you wish to conceal the existence of an *unbound* interface that's running
> Kismet or a packet sniffer, and doing that on a system that has potentially
> hostile processes running on it seems dodgy at best....



This archive was generated by hypermail 2.1.3 : Wed Aug 25 2004 - 12:07:00 PDT