From owner-freebsd-security  Sat Aug 24 18:19:16 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 709FC37B400
	for <freebsd-security@FreeBSD.ORG>; Sat, 24 Aug 2002 18:19:14 -0700 (PDT)
Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E8AE343E72
	for <freebsd-security@FreeBSD.ORG>; Sat, 24 Aug 2002 18:19:13 -0700 (PDT)
	(envelope-from dl-freebsd@catspoiler.org)
Received: from mousie.catspoiler.org (mousie.catspoiler.org [192.168.101.2])
	by gw.catspoiler.org (8.12.5/8.12.5) with ESMTP id g7P1J0wr046025;
	Sat, 24 Aug 2002 18:19:04 -0700 (PDT)
	(envelope-from dl-freebsd@catspoiler.org)
Message-Id: <200208250119.g7P1J0wr046025@gw.catspoiler.org>
Date: Sat, 24 Aug 2002 18:19:00 -0700 (PDT)
From: Don Lewis <dl-freebsd@catspoiler.org>
Subject: Re: user based firewalling with ipfw and priviledged ports.
To: rmeijer@xs4all.nl
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <20020824100341.T75248-100000@xs1.xs4all.nl>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On 24 Aug, Rob J Meijer wrote:

> The problem is that I need to bind to a priviledged port, and in order to
> do this I need to start as root and than change the (e&r) uid of the
> process to the target uid. It apears that the changing of the process its
> uid does not change the way that the user bit of trafic from the specific
> socket is seen, both iptables and ipfw interpret the trafic as comming
> from the root user.

You might want to consider binding to predetermined unpriviledged port
as the desired user and using natd to redirect incoming connections from
the priviledged port to the unpriviledged port.  The only real flaw in
this scheme is that the wrong user could bind to the predetermined
unpriviledged port.  If each user has a separate chroot environment,
you could prevent this problem by using jail() instead of chroot(),
because jail() allows you to specify a separate IP address for each
jail, and in this case you could allocate addresses from the loopback
network 127.x.x.x.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message