From owner-freebsd-security Mon May 14 19:36:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 12F8537B42C for ; Mon, 14 May 2001 19:36:23 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 ([195.161.98.236]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id KAA32395; Tue, 15 May 2001 10:36:19 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Tue, 15 May 2001 10:39:09 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <10967731793.20010515103909@morning.ru> To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: ipfw rules and securelevel In-Reply-To: <20010514180201.C453@ringworld.oblivion.bg> References: <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru> <20010514170927.A849@ringworld.oblivion.bg> <5523460344.20010514222118@morning.ru> <20010514180201.C453@ringworld.oblivion.bg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Mon, May 14, 2001 at 10:21:18PM +0700, Igor Podlesny wrote: >> >> >> > On Mon, May 14, 2001 at 10:06:10PM +0700, Igor Podlesny wrote: >> >> >> >> >> Dear friends, >> >> >> Even in securelevel 3 I can bypass ipfw rules. In securelevel 3 I >> >> >> as root can change the variable "net.inet.ip.fw.enable" using sysctl. When >> >> >> I run a command >> >> >> >> >> sysctl -w net.inet.ip.fw.enable=0 >> >> >> >> >> It disables the ipfw rules. >> >> >> >> >> Is it a feature or hole in freebsd. >> >> >> >> > doesn't matter how it is called, only matters how it hurts... (it does) >> >> >> >> >> please help >> >> >> >> the "patch" (hard to call it a patch, but nevertheless) is adding >> >> CTLFLAG_SECURE to the relevant definition of the node: >> >> >> >> this diff out is for 3.5 stable: >> >> >> >> 92c92 >> >> < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, >> >> --- >> >> > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, >> >> > Patches/diffs are usually much easier to review and apply if they are >> > in context or unified diff format - this helps when the patch is made >> > against a possibly changed file :) And.. well.. it might be obvious >> > to you (in this case it's pretty obvious to figure out ;), but still >> > it helps a lot to mention which file(s) the patch is against :) >> >> oh, you're right :) >> >> it was >> /usr/src/sys/netinet/ip_fw.c >> >> unified diff: >> >> --- /usr/src/sys/netinet/ip_fw.c.orig Fri Mar 23 19:44:27 2001 >> +++ /usr/src/sys/netinet/ip_fw.c Mon May 14 22:15:55 2001 >> @@ -89,7 +89,7 @@ >> >> #ifdef SYSCTL_NODE >> SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); >> -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, >> +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, >> &fw_enable, 0, "Enable ipfw"); >> SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, >> &fw_one_pass, 0, > Yup, this patch is much clearer, and I see no real reason against > committing it. My quick patch letter was for a person asking for help -- he asked and I tried to answer. I'm not a member of FreeBSD developer team, just a user/amateur :) > Actually, I think that even more of those sysctl's > should be flagged as 'secure' - e.g. the ones related to logging. I deem it is a business of the core team to decide what sysctls to be protected depending on the securelevel value... cause it is theirs design :) -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message