Yes, this is a convenience/functionality issue rather than a security issue. If only two of 7 active interfaces are valid for you to use, then should an ioctl(SIOCGIFCONF) show the other 5 interfaces? In the worst case, jail (/vserver) could use /proc/$$/attr/current as a substitute for ifconfig -a output, but this seems likely to break a great number of scripts for any sysadmin having to work in a jail or vserver. thanks, -serge > I think he meant that he didn't think it was going to fly, totally regardless of > the performance issue, unless there was a clear-cut security advantage to being > able to hide the existence of a network interface. > > And actually, I'm having a hard time seeing what the win is either, given that > there's a *lot* of information leakage issues. For instance, it's probably possible > to intuit the IP address bound to the interface (which is probably more interesting > than the mere existence of the interface in most cases) by looking at 'netstat -a' > and/or 'netstat -r'. Similarly, the interface/IP may be mentioned elsewhere > (think "Received:" headers on an e-mail)..... > > About the only case I can think of when the *interface* is of any real interest is > if you wish to conceal the existence of an *unbound* interface that's running > Kismet or a packet sniffer, and doing that on a system that has potentially > hostile processes running on it seems dodgy at best....
This archive was generated by hypermail 2.1.3 : Wed Aug 25 2004 - 12:07:00 PDT