From owner-freebsd-hackers  Mon Oct  8 23:26:48 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97])
	by hub.freebsd.org (Postfix) with ESMTP
	id 26D1D37B401; Mon,  8 Oct 2001 23:26:42 -0700 (PDT)
Received: from itojun.org (localhost [127.0.0.1])
	by coconut.itojun.org (Postfix) with ESMTP
	id 1F5FE4B22; Tue,  9 Oct 2001 15:26:36 +0900 (JST)
To: Shoichi Sakane <sakane@kame.net>
Cc: core@kame.net
Cc: hackers@freebsd.org, net@freebsd.org
In-reply-to: sakane's message of Tue, 09 Oct 2001 15:21:30 +0900.
      <20011009152130C.sakane@kame.net> 
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD  90 5F B4 60 79 54 16 E2
Subject: Re: kame ipsec policy 
From: itojun@iijlab.net
Date: Tue, 09 Oct 2001 15:26:36 +0900
Message-ID: <3958.1002608796@itojun.org>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


>> On a related topic, there appears to be a code error in the
>> IPSEC code.
>> 
>> Specifically, the priv flag is set to 1 if the user is root
>> and the socket is non-null (this lets the code be called
>> from the bridging code as well, so ignore the first half of
>> the "if" test, and concentrate on the "uid == 0" test).
>> 
>> In the code that examines this flag, the comment is that it
>> is looking at whether or not the port is a priviledged port,
>> not whether or not the user who owns it is root.
>> 
>> This implies that the "rootness" check improperly flags any
>> ports opened by root, regardless of whether or not they are
>> priviledged ports.

	no, i guess you got something wrong.  "uid == 0" check is used in ipsec
	code to control the behavior of policy lookups.  it has nothing to do
	with "privileged port" (port number < 1024).
	if you need more discussions you'd need to specify the line numberes
	for the code you are worrying about.

itojun

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message