Date: Fri, 8 Aug 2008 23:20:49 -0700 From: Andrew Thompson <thompsa@FreeBSD.org> To: Marian Hettwer <mh@kernel32.de> Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: should looking at an interface with 'ifconfig' trigger a?change ? Message-ID: <20080809062049.GC95107@citylink.fud.org.nz> In-Reply-To: <293d3dc9ebaee1119424aa58532d3c5d@localhost> References: <200808081318.m78DIaXJ017555@lurza.secnetix.de> <293d3dc9ebaee1119424aa58532d3c5d@localhost>
index | next in thread | previous in thread | raw e-mail
On Fri, Aug 08, 2008 at 04:00:56PM +0200, Marian Hettwer wrote: > Hi Oliver, > > On Fri, 8 Aug 2008 15:18:36 +0200 (CEST), Oliver Fromme > > > > Shouldn't that be considered a security flaw? After all, > > you can perform "ifconfig $IF" inside a jail to list the > > interface configuration, but you're not allowed to make > > any changes. > > > > Given your description above, it means that it is possible > > to modify the interface configuration (cause a failover) > > from within a jail. That's not good. I think that needs > > to be fixed, or at the very least it needs to be properly > > documented. > > > And regarding documentation. It should be documented, that lagg(4) won't > work very well with bce(4). If it's nowhere documented that bce and > failover with lagg doesn't work, some people might be screwed... I guess so although bce will not be the only one. Also spanning tree, carp and dhclient use link state events too, possibly others. Andrewhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080809062049.GC95107>