Date: Fri, 8 Aug 2008 23:20:49 -0700 From: Andrew Thompson <thompsa@FreeBSD.org> To: Marian Hettwer <mh@kernel32.de> Cc: freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: should looking at an interface with 'ifconfig' trigger a?change ? Message-ID: <20080809062049.GC95107@citylink.fud.org.nz> In-Reply-To: <293d3dc9ebaee1119424aa58532d3c5d@localhost> References: <200808081318.m78DIaXJ017555@lurza.secnetix.de> <293d3dc9ebaee1119424aa58532d3c5d@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 08, 2008 at 04:00:56PM +0200, Marian Hettwer wrote: > Hi Oliver, > > On Fri, 8 Aug 2008 15:18:36 +0200 (CEST), Oliver Fromme > > > > Shouldn't that be considered a security flaw? After all, > > you can perform "ifconfig $IF" inside a jail to list the > > interface configuration, but you're not allowed to make > > any changes. > > > > Given your description above, it means that it is possible > > to modify the interface configuration (cause a failover) > > from within a jail. That's not good. I think that needs > > to be fixed, or at the very least it needs to be properly > > documented. > > > And regarding documentation. It should be documented, that lagg(4) won't > work very well with bce(4). If it's nowhere documented that bce and > failover with lagg doesn't work, some people might be screwed... I guess so although bce will not be the only one. Also spanning tree, carp and dhclient use link state events too, possibly others. Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080809062049.GC95107>