openwrt/target/linux/generic
Jo-Philipp Wich 442db0d6d8 kernel: deny swconfig set requests for unprivileged users
The swconfig kernel infrastructure fails to do any permissions checks when
changing settings. As such an ordinary user account on a device with a
switch can change switch settings without any special permissions.
Routers generally have few non-admin users so this isn't a big hole, but it
is a security hole. Likely the greatest danger is for multifunction devices
which have a lot of extra daemons, compromising a low-security daemon would
allow one to modify switch settings and cause the router/switch to appear to
lock-up (or cause other sorts of troublesome nyetwork behavior).

Implement a check for CAP_NET_ADMIN in swconfig_set_attr() and deny any
requests originating from user contexts lacking this capability.

Reported-by: Elliott Mitchell <ehem+openwrt@m5p.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-11 00:53:19 +02:00
..
base-files update the /init file to start /sbin/init 2013-03-13 18:11:13 +00:00
files kernel: deny swconfig set requests for unprivileged users 2016-06-11 00:53:19 +02:00
image treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
patches-3.18 treewide: replace jow@openwrt.org with jo@mein.io 2016-06-07 11:42:52 +02:00
patches-4.1 treewide: replace jow@openwrt.org with jo@mein.io 2016-06-07 11:42:52 +02:00
patches-4.4 treewide: replace jow@openwrt.org with jo@mein.io 2016-06-07 11:42:52 +02:00
config-3.18 kernel: enable CONFIG_PANIC_ON_OOPS by default 2016-05-15 21:28:41 +02:00
config-4.1 kernel: enable CONFIG_PANIC_ON_OOPS by default 2016-05-15 21:28:41 +02:00
config-4.4 kernel: add missing config symbols for 4.4 2016-06-08 14:50:26 +02:00
PATCHES kernel: update PATCHES with a stricter policy 2013-07-09 20:52:07 +00:00