[PATCH] iptables, ipnatctl -> /sbin

Tommi Virtanen tv@debian.org
Sat, 6 Nov 1999 14:42:39 +0200


On Sat, Nov 06, 1999 at 05:54:39PM +1100, Daniel Stone wrote:
> 	There was a fix (included in .10 if I recall correctly) that fixed
> a bug that allowed non-root users to modify the packet filter tables. But,
> there's another problem vaguely like this - but this time in the
> Makefiles. iptables and ipnatctl, which, for security reasons, should only
> be accessible by root, are in /usr/local/bin - a world-readable executable
> dir ?!? I've included a patch that adds a new var - SBINDIR (which is
> /usr/sbin), and patches the NAT/userspace Makefile and the
> packet-filter/userspace Makefile to send iptables and ipnatctl to SBINDIR,
> where they belong. (note : I used /usr/sbin because I've never, ever seen
> anything go to /usr/local/sbin).

	How would the binaries readability/executability by
        normal users affect anything? They can compile their
        own. It's not like they'd be suid or anything. Normal
        users can't run them _as root_, that should be enough.
-- 
Havoc Consulting | unix, linux, perl, mail, www, internet, security consulting
+358 50 5486010  | software development, unix administration, training