# What security risk enables allow.raw_sockets=1 in jail



## icecoke (Nov 21, 2013)

Hi,

I wonder what security risk arises when I enable 
	
	



```
allow.raw_sockets=1
```
 for jails? These are customer jails and yes, I can't finally trust them. The point is, the customers wonder why they are not allowed to ping or trace. Is there a way to have a compromise? 

Many thanks in advance!


----------



## fonz (Nov 21, 2013)

icecoke said:
			
		

> I wonder what security risk arises when I enable
> 
> 
> 
> ...


Access to raw sockets enables one to perform packet sniffing/spoofing/injection because it pretty much bypasses the normal TCP/IP stack. Raw sockets are root's prerogative, which is why programs such as ping(8) are suid root. I imagine that a weakness in such programs could enable a skillful cracker to achieve a jailbreak.

This is just off the top of my head first instinct, though. If I can find the time to give it some more thought (which I probably should) I'll follow up. Or maybe this will inspire others to weigh in.


----------



## kpa (Nov 21, 2013)

Ask your customers whether they really need the ability to ping(8) and traceroute(8). It may turn out that they don't really need that capability.


----------



## icecoke (Nov 22, 2013)

@kpa They need, what they get. So they will live with it, I guess 

@fonz Thanks for your suggestion. Our customers have even root in their jail, so there would be no weakness needed, they could write their own code if raw sockets enables bad things. :\

What is about 
	
	



```
sysvipc_allowed=1
```
? Is this giving a risk for a jailbreak or 'just' for sniffing/killing shared memory of other jails (assuming the host is not using shared memory at all)?

Thanks again!


----------

