-
Notifications
You must be signed in to change notification settings - Fork 454
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does AFWall+ need to constantly run su/privileded-mode? #480
Comments
This has been answered already. AFWall+ needs to reapply the iptables rules on connectivity change. Acquiring and applying rules takes longer time. That's the reason it root shell is required and it's not for logs. |
Thanks for getting back... I am sorry I have not found the previous question. I would be grateful if you can point me to the relevant discussion. That said, I don't fully understand your answer. Why don't just re-acquire the root shell when there is need to reapply the rules? It should not be much slower (assuming the user has granted root permissions indefinitely to the app). The main problem is that I understand this "#" icon a warning: "Watchout: Something is using a root shell permanently in the background". This, I understand, is not an expected behaviour in general (so they put an notification about it). If AFWall+ assumes that behaviour, there is no way to be warned if some other app maliciously does it. I understand that actively logging etc. might require this. But I'd prefer the root shell to be released when it's not used. |
Fair enough. I think the reason that "everyone is whining" is that the app keeps root privileges when it doesn't need them. When I realized this my first question was: what is this app doing that it needs to keep a root session all the time? So, you tell me, it is doing absolutely nothing, and that it just keeps it for convenience to save a few milliseconds on the next connectivity change. Well, fair enough, but you cannot have me believe that it surprises you that people asks what's going on with it nevertheless. I never said that it was insecure. I just said it is usually good practice to drop privileges when you don't need them. Since AFWall+ does not drop them, that simply raises questions about how the app is functioning (and as a side-effect the # icon is an annoyance that could be avoided). So yes, please, put it in the FAQ and explain why it needs an open root shell all the time and you will save threads like this. I did check the FAQ but I do apologize I didn't see that #458 has as similar discussion and I do THANK YOU for taking the time to answer. Best regards and thanks for this app. |
The '#' icon is a security feature as you said. IMHO there is nothing wrong with it. Apps are not expected to run root shell continuously in the background unless they are actively doing something (say logging). Yes, the ROM could have a 'do not warn about this app' option. But AFWall+ could also release the shell when it's not in use (which, again, seems a logic thing to do after you have set up the necessary iptable rules). This is your implementation choice of course, and as said before, do what you like. I'm of course not going to go to Cyanogenmod people and lobby them to tweak a perfectly fine feature just because you're lazy to drop an idle root shell. This has nothing to do with other apps or Android, it has to do with not using root when you don't need to. It this pisses you off, well that's fine, but you fail to see it's AFWall+ behaviour that raises the questions because it does not work as someone would expect. I'm closing this as there is nothing left to discuss. And btw, don't take things so personal. I was never "whining", never intended to post "over and over again". I just opened a thread to ask a simple question and have tried to explain why this question arises. Take care. |
ok i have question on re applying rules - some concurrency scenario installed both:
both are reapplying rules on conn changes question: do u use any synchronization to maintain consistency of changes ? why ? both in same time changing tables ! let me quote a passage on this matter: Iptables and ? Breaking down the requirements
Monitoring static files
Monitoring dynamic content
Monitoring content changes
Logging, log monitoring, remote logging
While Sudo (when appropriately configured) will log issued commands it will not do so for users that have been allowed root account access. To provide separated per user, independent, timestamped logging of commandline (and output!) you will configure those unprivileged user accounts to use 'Rootsh' to sudo to root by allowing them to run something like 'sudo rootsh -u root -i'. Depending on configuration the logfiles may go to /var/log/rootsh or syslog. In addition to monitoring above this will provide you with enough of an auditing trail to help you determine which user changed what files contents at what time.
Logging means reading logs. Without automating it this soon becomes more than a 24/7 job. For instantaneous response to priority 1 alerts you will need a log watcher like Swatch or SEC (or search Freshmeat, Sourceforge, Nongnu, Berlios) that can alert (and respond) to alerts by filtering for certain regexes. For logging at intervals you could use for instance Logwatch.
Wrap-up |
do u know meaning a word "quote" ? <- retoric question :) for many people when u give a source the are to lazy to read it :) ps: audit is not off topic as on my screen notoriously i see: |
@CHEF-KOCH thanks for clarifying! |
I added this feature because opening a new root shell is a slow operation and we had performance issues on some devices. It is also recommended by Chainfire's guide:
Regarding:
Only the iptables commands run as root, even when the shell is open. The rest of the app does not. This isn't the equivalent of calling There's no real benefit in closing the root shell, because the app already has permission to re-open it at any time.
A truly malicious app that manages to get root access can hide the icon. From looking at this code it seems that it only gets displayed when an app acquires root through the "front door." If a malware app gains root by exploiting a kernel vulnerability and then modifies the rootfs to make itself persistent, the icon will not show up. This could give users a false sense of security. |
Two other random tidbits I remembered after posting:
|
Hi there, semi-related, I have a wifi only tablet, I very rarely change to another wifi network when traveling, is it okay to disable active rules? Thanks. |
Hello, I have started using AFWall+. So far so good, except CM13 displays a "#" sign on the notification bar which means something is running with root permissions.
I understand this is necessary when logging is enabled. But other than that, can't AFWall+ just use "su" when it needs to perform some occasional privileged operation (reading/writing the iptables), and not constantly all the time? I'm not very familiar with the app, but it'd seem a good practice to gain root privileges only when an operation requires them and not keep them constantly. Regards!
The text was updated successfully, but these errors were encountered: