From owner-svn-src-head@FreeBSD.ORG Fri Jan 9 19:02:35 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AF4810657C6; Fri, 9 Jan 2009 19:02:35 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 1365B8FC1B; Fri, 9 Jan 2009 19:02:35 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id 9FBCE46B32; Fri, 9 Jan 2009 14:02:34 -0500 (EST) Date: Fri, 9 Jan 2009 19:02:34 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Julian Elischer In-Reply-To: <49678D5E.3030600@elischer.org> Message-ID: References: <200901091602.n09G2Jj1061164@svn.freebsd.org> <200901091802.10287.max@love2party.net> <49678D5E.3030600@elischer.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: svn-src-head@freebsd.org, Max Laier , Adrian Chadd , src-committers@freebsd.org, svn-src-all@freebsd.org Subject: Re: svn commit: r186955 - in head/sys: conf netinet X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2009 19:02:35 -0000 On Fri, 9 Jan 2009, Julian Elischer wrote: > Max Laier wrote: >> On Friday 09 January 2009 17:02:19 Adrian Chadd wrote: >>> Author: adrian Date: Fri Jan 9 16:02:19 2009 New Revision: 186955 URL: >>> http://svn.freebsd.org/changeset/base/186955 >>> >>> Log: >>> Implement a new IP option (not compiled/enabled by default) to allow >>> applications to specify a non-local IP address when bind()'ing a socket >>> to a local endpoint. >> >> That's a *socket* option ... you had me very worried there for a moment ;) >> I don't quite see why you'd hide these under a build time option - having >> the sysctl defaulting to off under CTLFLAG_SECURE seems good enough - if >> people disagree - make it a boot time tuneable, but I certainly don't see >> why you should have to rebuild the kernel for a minor thing like this. It >> certainly isn't performance critical. > > because it can be a big security hole and you do not want people to have it > available on the average machine. Also because purists complained about it. > You'll notice that the compile option enables the sysctl, which is used to > turn on and off the capacity to do this per socket. so the admin can disable > it, but I felt a lot more comfortable having it not compiled in by default. At the risk of turning something simply that has for unknown reasons taken a half dozen commits to get right into something that takes a half dozen plus one: the security stuff in this commit is really weird. I'd prefer this socket option: (1) Not be a kernel option, since the last thing we need is yet more conditionally compiled edge cases (2) Require privilege by default, ideally a new privilege (3) If it's desirable to make it easily accessible without privilege on some systems, add a sysctl that controls whether privilege is required. This would make it available in GENERIC, default to requiring root, but allow that to be tweaked easily in the same way we require privilege to bind low port numbers by default, but using sysctls can tune the policy to something useful in more specific environments. There's been talk of adding a fine-grained privilege model to FreeBSD 8.0 so that specific privileges could be granted in a more general way, but that hasn't happened yet. It's also possible to do that already using a custom MAC policy since MAC policy modules can tune the privilege model to add and remove privileges for processes in a granular way. But only if this operation is assigned a specific privilege. Robert N M Watson Computer Laboratory University of Cambridge