From owner-freebsd-net@FreeBSD.ORG Tue Oct 12 13:11:54 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06DBE16A4CE; Tue, 12 Oct 2004 13:11:54 +0000 (GMT) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3414043D1D; Tue, 12 Oct 2004 13:11:53 +0000 (GMT) (envelope-from keramida@freebsd.org) Received: from orion.daedalusnetworks.priv (host5.bedc.ondsl.gr [62.103.39.229])i9CDBIiA023307; Tue, 12 Oct 2004 16:11:31 +0300 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) i9CDBCtM054693; Tue, 12 Oct 2004 16:11:12 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from keramida@localhost)i9CDBCk1054692; Tue, 12 Oct 2004 16:11:12 +0300 (EEST) (envelope-from keramida@freebsd.org) Date: Tue, 12 Oct 2004 16:11:12 +0300 From: Giorgos Keramidas To: Robert Watson Message-ID: <20041012131112.GA54651@orion.daedalusnetworks.priv> References: <20041012112500.GA27309@orion.daedalusnetworks.priv> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: cc: freebsd-net@freebsd.org cc: csjp@freebsd.org cc: swp@swp.pp.ru Subject: Re: IP options broken for raw sockets on cred downgrade (was: Re: why required root privileges to set multicast options now?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Oct 2004 13:11:54 -0000 On 2004-10-12 09:04, Robert Watson wrote: > On Tue, 12 Oct 2004, Giorgos Keramidas wrote: > > On 2004-10-11 16:31, Robert Watson wrote: > > > + * NOTE: Regarding access control. Raw sockets may only be created by > > > + * privileged processes; however, as a result of jailed processes and the > > > + * ability for processes to downgrade privilege yet retain a reference to the > > > + * raw socket. As such, explicit access control is required here, or when > > > + * unimplemented requests are passed to ip_ctloutput(), are required there. > > > > Can we rewrite this descriptive comment a bit? I can't really > > understand what is being said by reading the comment. Reading the diff > > of the source is easy, but we should try to make the comment more > > comprehensible too ;-) > > Maybe something like the following: > > * IMPORTANT NOTE regarding access control: Traditionally, raw sockets > * could only be created by a privileged process, and as such, socket > * option operations to manage system properties on any raw socket were > * allowed to take place without explicit additional access control > * checks. However, raw sockets can now also be created in jail(), and > * therefore explicit checks are now required. Likewise, raw sockets can > * be used by a process after it gives up privilege, so some caution is > * required. For options passed down to the IP layer via ip_ctloutput(), > * checks are assumed to be performed in ip_ctloutput() and therefore no > * check occurs here. Unilaterally checking suser() here breaks normal IP > * socket option operations on raw sockets. > * > * When adding new socket options here, make sure to add access control > * checks here as necessary. Yep, this sounds like a better explanation. Thanks :-)