Re: Disabling Promisc mode,

David Woodhouse (Dave@imladris.demon.co.uk)
Wed, 27 May 1998 21:14:25 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul Flinders: "Re: Disabling Promisc mode,"
Previous message: Ulrich Drepper: "Re: Why all glibc2 programs are FPU programs"
Maybe in reply to: Murat Bicer: "Disabling Promisc mode,"
Next in thread: Paul Flinders: "Re: Disabling Promisc mode,"
Reply: Paul Flinders: "Re: Disabling Promisc mode,"

> >I dont mean that.
> >I want sth such that Noone even root cannot take the machine into promisc
> >mode.
>
> >get the idea?
>
>
> Don't give root access to people you can't trust.

That's a fine plan if you can guarantee it. However, if someone _does_ get root
access to a box on a sensitive subnet, then it's nice to know they can't start
a packet sniffer without recompiling the kernel and rebooting.

Our University Computing Service has already suffered this kind of attack once
on their main server backbone, when a Solaris box was hacked. If promiscuous
mode isn't required, then it's entirely sensible to make it completely
impossible.

I'd like to see a CONFIG_DISABLE_PROMISC option, and will probably hack one
together next week.

For now, look through net/core/dev.c and muck about with dev_set_promiscuity()

---- ---- ----
David Woodhouse, Robinson College, CB3 9AN, England. (+44) 0976 658355
Dave@imladris.demon.co.uk http://www.imladris.demon.co.uk
finger pgp@dwmw2.robinson.cam.ac.uk for PGP key.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu

Next message: Paul Flinders: "Re: Disabling Promisc mode,"
Previous message: Ulrich Drepper: "Re: Why all glibc2 programs are FPU programs"
Maybe in reply to: Murat Bicer: "Disabling Promisc mode,"
Next in thread: Paul Flinders: "Re: Disabling Promisc mode,"
Reply: Paul Flinders: "Re: Disabling Promisc mode,"