Warren Kumari <[email protected]> wrote:
>> The fewer privilege escalation points the better, I suppose. From that
>> perspective a UDP socket may be less concerning, but perhaps not by much.
>> NetworkMonitor has the appropriate privileges to do the needful,
> regardless.
> I'll start off by admitting that this is a cheap shot, but:
> https://access.redhat.com/security/vulnerabilities/3442151
(yeah, so that's as much about using shell for things it was never designed to do.)
> I'm uncomfortable with the "let's have all machines which might possibly
> connect to a network with a captive portal have a daemon listening on a
> well-known UDP port" idea. Yes, it is very similar to "let's have all
> machines which might possibly connect to a network with a captive portal
> have a thingie watching for special ICMP messages", but somehow it feels
> very different. Yes, I understand the irony of building networks based on
> what makes Warren uncomfortable, but...
I agree, it's different. ICMP is generally handled centrally by the kernel,
and it isn't handed off to random shell scripts. The kernel does some
validation of the incoming packet.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
Attachment:
signature.asc
Description: PGP signature