Date: Fri, 8 Aug 2008 15:18:36 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, thompsa@FreeBSD.ORG Subject: Re: should looking at an interface with 'ifconfig' trigger a ?change ? Message-ID: <200808081318.m78DIaXJ017555@lurza.secnetix.de> In-Reply-To: <20080807173525.GB37969@citylink.fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrew Thompson wrote: > Pete French wrote: > > > The bce driver is not properly generating link state events. > > > > OK, that explains why it doesnt failover - but why does looking at it > > with ifconfig make a difference ? surely that should be 'read only ? > > ifconfig will cause the media status to be read from the hardware at > which time the link change is generated as it is different to the stored > value. Shouldn't that be considered a security flaw? After all, you can perform "ifconfig $IF" inside a jail to list the interface configuration, but you're not allowed to make any changes. Given your description above, it means that it is possible to modify the interface configuration (cause a failover) from within a jail. That's not good. I think that needs to be fixed, or at the very least it needs to be properly documented. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "I started using PostgreSQL around a month ago, and the feeling is similar to the switch from Linux to FreeBSD in '96 -- 'wow!'." -- Oddbjorn Steffensen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808081318.m78DIaXJ017555>