Date: Fri, 8 Aug 2008 23:01:26 -0700 From: Andrew Thompson <thompsa@FreeBSD.org> To: freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: should looking at an interface with 'ifconfig' trigger a ?change ? Message-ID: <20080809060126.GB95107@citylink.fud.org.nz> In-Reply-To: <200808081318.m78DIaXJ017555@lurza.secnetix.de> References: <20080807173525.GB37969@citylink.fud.org.nz> <200808081318.m78DIaXJ017555@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 08, 2008 at 03:18:36PM +0200, Oliver Fromme wrote: > Andrew Thompson wrote: > > Pete French wrote: > > > > The bce driver is not properly generating link state events. > > > > > > OK, that explains why it doesnt failover - but why does looking at it > > > with ifconfig make a difference ? surely that should be 'read only ? > > > > ifconfig will cause the media status to be read from the hardware at > > which time the link change is generated as it is different to the stored > > value. > > Shouldn't that be considered a security flaw? After all, > you can perform "ifconfig $IF" inside a jail to list the > interface configuration, but you're not allowed to make > any changes. > > Given your description above, it means that it is possible > to modify the interface configuration (cause a failover) > from within a jail. That's not good. I think that needs > to be fixed, or at the very least it needs to be properly > documented. I dont think its a security flaw, this is meant to happen automatically after all. You cant make ifconfig change the link status within a jail, just catch up on reality. Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080809060126.GB95107>