Bug#866252: marked as done (apt-get update doesn't work when connection is filtered through iptables owner module)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 28 Jun 2017 22:10:08 +0200
with message-id <20170628201008.eqbiwzwab3lcclo5@jak-x230>
and subject line Re: Bug#866252: apt-get update doesn't work when connection is filtered through iptables owner module
has caused the Debian Bug report #866252,
regarding apt-get update doesn't work when connection is filtered through iptables owner module
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
866252: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866252
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: apt-get update doesn't work when connection is filtered through iptables owner module
• From: Prahlad Yeri <prahladyeri@yahoo.com>
• Date: Thu, 29 Jun 2017 00:34:37 +0530
• Message-id: <[🔎] 20170629003415.000011e2@yahoo.com>

Package: apt
Version: 1.4.6

I'm not very sure that this is a bug or not, but I'm inclined to treat
this as bug because its different from expected behavior. iptables
is a well known component of Linux kernel and many users use it to
control access to network resources and especially the Internet.

The problem here is that when you use the owner module to restrict
access to only root group, the root user(sudo) isn't able to do the
"apt-get update" (or rather any apt-get command that uses the internet
such as "apt-get download"), though he is able to use the internet
otherwise.

We can demonstrate it as follows:

Step-1: Create an iptables rule such as the following that denies
internet(ports 80, 443) to all users except the root group:

iptables --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat -F
iptables --table nat -X

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT    -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p udp --dport 53  -j ACCEPT #dns

iptables -A OUTPUT   -p tcp --dport 80 -m owner --gid-owner root -j
ACCEPT #http
iptables -A OUTPUT   -p tcp --dport 443 -m owner --gid-owner root -j
ACCEPT #https

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP


Step-2: Now, run "sudo apt-get update" (needs a debian machine where
sudo is setup, or you can try "sudo -i" and then apt-get update).

Expected Result: The apt cache should get updated.
Actual Result: The process is stuck at 0% with a message such as below:

0% [Connecting to debian.gtisc.gatech.edu (128.61.240.89)] [Connecting
to klecker-ftp.debian.org (130.89.148.12)] [Connecting to
security.debian.org (150.203.164.61)]

Step3: However, if you run any other command using "sudo" that requires
an internet connection, it works. For example, the following works
perfectly:

sudo telnet google.com 80

This shows that the bug (or whatever) isn't with the iptables owner
module, but something is wrong with apt. Let me know whether my
understanding is correct or not.

------------------------------------------

The Debian version I'm using is 9.0 which was released recently (Linux
debian 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2 (2017-06-12) x86_64
GNU/Linux). But I think the bug isn't specific to this
debian version, it might apply to other/multiple debian versions as I've
found this same behavior on ubuntu 16.04 as well.

Please let me know if you need any more details.

--- End Message ---

--- Begin Message ---

• To: 866252-close@bugs.debian.org
• Subject: Re: Bug#866252: apt-get update doesn't work when connection is filtered through iptables owner module
• From: Julian Andres Klode <jak@debian.org>
• Date: Wed, 28 Jun 2017 22:10:08 +0200
• Message-id: <20170628201008.eqbiwzwab3lcclo5@jak-x230>
• In-reply-to: <[🔎] 20170629003415.000011e2@yahoo.com>
• References: <[🔎] 20170629003415.000011e2@yahoo.com>

On Thu, Jun 29, 2017 at 12:34:37AM +0530, Prahlad Yeri wrote:
> Package: apt
> Version: 1.4.6
> 
> I'm not very sure that this is a bug or not, but I'm inclined to treat
> this as bug because its different from expected behavior. iptables
> is a well known component of Linux kernel and many users use it to
> control access to network resources and especially the Internet.
> 
> The problem here is that when you use the owner module to restrict
> access to only root group, the root user(sudo) isn't able to do the
> "apt-get update" (or rather any apt-get command that uses the internet
> such as "apt-get download"), though he is able to use the internet
> otherwise.

Downloads are performed by the _apt user for security reasons.

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.

--- End Message ---