TCP connections restricted to specific users
Florian Weimer
fweimer at redhat.com
Wed Apr 16 08:17:55 UTC 2014
Suppose I have a cluster of machines, running an application. The
application opens up TCP connections to other machines, without any form
of authentication.
If nothing else is running on these machines, it is possible to use
iptables, perhaps in combination with IPsec, to prevent misuse of these
services.
If there are other services running the cluster nodes which are supposed
to have different privileges, what are my options to preserve this
distinction in privileges? If those other services can connect to the
TCP port used by the clustered application, it's possible that the
(supposedly unprivileged) service takes over the cluster. Would
iptables owner match work here? Is there some way to pass on user
information with IPsec?
--
Florian Weimer / Red Hat Product Security Team
More information about the security
mailing list