From owner-svn-src-head@FreeBSD.ORG Fri Jan 9 19:08:09 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F2FA510656D0 for ; Fri, 9 Jan 2009 19:08:08 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.8]) by mx1.freebsd.org (Postfix) with ESMTP id 81E158FC21 for ; Fri, 9 Jan 2009 19:08:08 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-053-050.pools.arcor-ip.net [88.66.53.50]) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis) id 0ML31I-1LLMiF0yqV-000684; Fri, 09 Jan 2009 20:08:07 +0100 Received: (qmail 30180 invoked from network); 9 Jan 2009 19:08:06 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by mx.laiers.local with SMTP; 9 Jan 2009 19:08:06 -0000 From: Max Laier Organization: FreeBSD To: "Adrian Chadd" Date: Fri, 9 Jan 2009 20:08:05 +0100 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <200901091602.n09G2Jj1061164@svn.freebsd.org> <200901091909.00457.max@love2party.net> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200901092008.06049.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19UjRukYTMk8JsNwqIJ77efSldNfEI4IGK/opD uJDDWIdbxqjQR8cJSrwQOfImj9WG7UpU+GMn8IM4CW7L1xdV38 R+FZgBXJbjarucFaFttww== Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Julian Elischer Subject: Re: svn commit: r186955 - in head/sys: conf netinet X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2009 19:08:09 -0000 On Friday 09 January 2009 19:29:11 Adrian Chadd wrote: > 2009/1/9 Max Laier : > > Speaking of disabling it ... setting the sysctl to 0 is not really enough > > to do that. One would also have to walk through the active sockets and > > GC any that are bound to nonlocal addresses to really disable it ... or > > do we rely on tcpdrop or the like to do that manually? Of course it > > would make sense to have something like this: start tproxy, bind > > forwarding ports, disable sysctl, raise securelevel > > > > In addition, should there be a priv(9) check in ip_ctloutput? > > For which priv? Surely you don't really want people running services as > root? :) You don't want your normal user to be able to bind to foreign addresses either. If you need to create sockets over and over again you use privilege separation as done in OpenBSD. > gnn and I talked about this a bit on IRC, and I was waiting for > rwatson to come online before posting a followup. Linux's > implementation of this stuff uses the CAP_NET_ADMIN capability to > define whether a process can do this or not. So users would start > Squid as root, Squid would acquire CAP_NET_ADMIN, drop root, and then > use it whenever required. > > Also, this is an option set on bind() on an outbound socket, not a > listen() socket. You'd bind() to the client IP you're pretending to > be, then connect() to the server destination. You can't raise > securelevel/disable sysctl in the way you described. I see ... though there is no restriction in your code yet that would prevent one from using it on a listen() socket. Can you hold off on further commits until we reach a consensus about how this should be done? This is getting a bit messy for my taste. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News