Date: Thu, 30 Aug 2001 11:33:34 -0400 (EDT) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Proposed change to route(4) sockets to make them available to non-superuser Message-ID: <200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu> In-Reply-To: <20010830145840.A1554@sunbay.com> References: <20010830145840.A1554@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Thu, 30 Aug 2001 14:58:40 +0300, Ruslan Ermilov <ru@FreeBSD.ORG> said:
> raw_uattach(struct socket *so, int proto, struct proc *p)
> {
> struct rawcb *rp = sotorawcb(so);
> - int error;
> if (rp == 0)
> return EINVAL;
> - if (p && (error = suser(p)) != 0)
> - return error;
> return raw_attach(so, proto);
> }
This allows *anyone* to open any raw socket. This change should not
be made; use a specialized route_uattach instead.
> + if (rtm->rtm_type != RTM_GET && suser(curproc) != 0)
Ick. I worked hard several years ago to get rid of all references to
`curproc' in the network stack; I'm none too pleased to see them
coming back. Since we already save the credentials of the process
which opened the socket, we should do the access-control on the basis
of those credentials, not on the basis of the process that happens to
be running. (Consider, for example, a daemon which opens its sockets
and then changes credentials for safety.)
-GAWollman
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108301533.f7UFXYT64952>