Ubuntu
linux package

netfilter/iptables --uid-owner options work incorrect

Bug #1228368 reported by Sergey Vinogradov
264
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

When using the iptables, enter the following rule (loaded via iptables-restore script /etc/network/if-up.d/iptablesload):

-A domains-rules-out -p icmp -m owner --uid-owner pinguser -j ACCEPT

However, this rule does not work (packets are processed overall policy DROP).
If you change it to rule

-A domains-rules-out -p icmp -m owner --gid-owner pinguser -j ACCEPT

the rule works (possibly send a request to the ping program).

The pinguser is a user and is a group with uids 201 and 202.
From /etc/passwd
pinguser:x:201:202:pinguser,,,:/:/bin/false

From /etc/group
pinguser:x:202:

i.e. first rule not work (packet drop, but rule do ACCEPT target)
sudo -u pinguser ping yandex.ru
> operation not permitted

With the second rule (--gid-owner) packages normally go on the same team

Result of command
iptables -S domains-rules-out

for --uid-owner

-N domains-rules-out
-A domains-rules-out -p icmp -m owner --uid-owner 201 -j ACCEPT
-A domains-rules-out -d 194.149.67.129/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 91.189.94.4/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 91.189.89.199/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 213.180.204.183/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A domains-rules-out -j RETURN

for --gid-owner

-N domains-rules-out
-A domains-rules-out -p icmp -m owner --gid-owner 202 -j ACCEPT
-A domains-rules-out -d 194.149.67.129/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 91.189.89.199/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 91.189.94.4/32 -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A domains-rules-out -d 213.180.204.183/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A domains-rules-out -j RETURN

---------------

I think the rules are disclosed true (201 user number, 202 - the number of groups).
Apparently, iptables work is correct, but netfilter works incorrect.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: linux-image-3.5.0-40-generic 3.5.0-40.62~precise1
ProcVersionSignature: Ubuntu 3.5.0-40.62~precise1-generic 3.5.7.20
Uname: Linux 3.5.0-40-generic i686
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.25.
AplayDevices:
 **** List of PLAYBACK Hardware Devices ****
 card 0: I82801AAICH [Intel 82801AA-ICH], device 0: Intel ICH [Intel 82801AA-ICH]
   Subdevices: 1/1
   Subdevice #0: subdevice #0
ApportVersion: 2.0.1-0ubuntu17.4
Architecture: i386
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: vin 1787 F.... pulseaudio
CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found.
Card0.Amixer.info:
 Card hw:0 'I82801AAICH'/'Intel 82801AA-ICH with STAC9700,83,84 at irq 21'
   Mixer name : 'SigmaTel STAC9700,83,84'
   Components : 'AC97a:83847600'
   Controls : 34
   Simple ctrls : 24
Date: Fri Sep 20 23:35:23 2013
InstallationMedia: Ubuntu 12.04.2 LTS "Precise Pangolin" - Release i386 (20130213)
IwConfig:
 lo no wireless extensions.

 eth0 no wireless extensions.
Lsusb:
 Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
 Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: innotek GmbH VirtualBox
MarkForUpload: True
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=ru_RU.UTF-8
 SHELL=/bin/bash
ProcFB: 0 VESA VGA
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.5.0-40-generic root=UUID=d84bcd4e-fc49-4877-973e-9fc356921db6 ro quiet splash vt.handoff=7
RelatedPackageVersions:
 linux-restricted-modules-3.5.0-40-generic N/A
 linux-backports-modules-3.5.0-40-generic N/A
 linux-firmware 1.79.6
RfKill:

SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 12/01/2006
dmi.bios.vendor: innotek GmbH
dmi.bios.version: VirtualBox
dmi.board.name: VirtualBox
dmi.board.vendor: Oracle Corporation
dmi.board.version: 1.2
dmi.chassis.type: 1
dmi.chassis.vendor: Oracle Corporation
dmi.modalias: dmi:bvninnotekGmbH:bvrVirtualBox:bd12/01/2006:svninnotekGmbH:pnVirtualBox:pvr1.2:rvnOracleCorporation:rnVirtualBox:rvr1.2:cvnOracleCorporation:ct1:cvr:
dmi.product.name: VirtualBox
dmi.product.version: 1.2
dmi.sys.vendor: innotek GmbH

Revision history for this message
Sergey Vinogradov (fdsc) wrote :
Sergey Vinogradov (fdsc)
information type: Private Security → Public Security
Revision history for this message
Brad Figg (brad-figg) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.