What security risk enables allow.raw_sockets=1 in jail

[icecoke]

Hi,

I wonder what security risk arises when I enable

allow.raw_sockets=1

for jails? These are customer jails and yes, I can't finally trust them. The point is, the customers wonder why they are not allowed to ping or trace. Is there a way to have a compromise?

Many thanks in advance!

 

[fonz]

I wonder what security risk arises when I enable

allow.raw_sockets=1

for jails?

Access to raw sockets enables one to perform packet sniffing/spoofing/injection because it pretty much bypasses the normal TCP/IP stack. Raw sockets are root's prerogative, which is why programs such as ping(8) are suid root. I imagine that a weakness in such programs could enable a skillful cracker to achieve a jailbreak.

This is just off the top of my head first instinct, though. If I can find the time to give it some more thought (which I probably should) I'll follow up. Or maybe this will inspire others to weigh in.

 

[kpa]

Ask your customers whether they really need the ability to ping(8) and traceroute(8). It may turn out that they don't really need that capability.

 

[icecoke]

@kpa They need, what they get. So they will live with it, I guess

@fonz Thanks for your suggestion. Our customers have even root in their jail, so there would be no weakness needed, they could write their own code if raw sockets enables bad things. :\

What is about

sysvipc_allowed=1

? Is this giving a risk for a jailbreak or 'just' for sniffing/killing shared memory of other jails (assuming the host is not using shared memory at all)?

Thanks again!