Date: Thu, 30 Aug 2001 20:41:32 +0300 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Proposed change to route(4) sockets to make them available to non-superuser Message-ID: <20010830204132.A47482@sunbay.com> In-Reply-To: <200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, Aug 30, 2001 at 11:33:34AM -0400 References: <20010830145840.A1554@sunbay.com> <200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 30, 2001 at 11:33:34AM -0400, Garrett Wollman wrote:
> <<On Thu, 30 Aug 2001 14:58:40 +0300, Ruslan Ermilov <ru@FreeBSD.ORG> said:
>
> > raw_uattach(struct socket *so, int proto, struct proc *p)
> > {
> > struct rawcb *rp = sotorawcb(so);
> > - int error;
>
> > if (rp == 0)
> > return EINVAL;
> > - if (p && (error = suser(p)) != 0)
> > - return error;
> > return raw_attach(so, proto);
> > }
>
> This allows *anyone* to open any raw socket. This change should not
> be made; use a specialized route_uattach instead.
>
Not any, as almost all domains don't use raw_usrreqs, but you are
of course right. At least PF_KEY_V2 raw sockets were affected.
> > + if (rtm->rtm_type != RTM_GET && suser(curproc) != 0)
>
> Ick. I worked hard several years ago to get rid of all references to
> `curproc' in the network stack; I'm none too pleased to see them
> coming back. Since we already save the credentials of the process
> which opened the socket, we should do the access-control on the basis
> of those credentials, not on the basis of the process that happens to
> be running. (Consider, for example, a daemon which opens its sockets
> and then changes credentials for safety.)
>
How about this one (kernel part only)?
Index: rtsock.c
===================================================================
RCS file: /home/ncvs/src/sys/net/rtsock.c,v
retrieving revision 1.55
diff -u -p -r1.55 rtsock.c
--- rtsock.c 2001/08/02 19:56:29 1.55
+++ rtsock.c 2001/08/30 17:37:56
@@ -123,7 +123,7 @@ rts_attach(struct socket *so, int proto,
*/
s = splnet();
so->so_pcb = (caddr_t)rp;
- error = raw_usrreqs.pru_attach(so, proto, p);
+ error = raw_attach(so, proto);
rp = sotorawcb(so);
if (error) {
splx(s);
@@ -326,6 +326,14 @@ route_output(m, so)
else
senderr(ENOBUFS);
}
+
+ /*
+ * Verify that the caller has the appropriate privilege; RTM_GET
+ * is the only operation the non-superuser is allowed.
+ */
+ if (rtm->rtm_type != RTM_GET && so->so_cred->cr_uid != 0)
+ senderr(EACCES);
+
switch (rtm->rtm_type) {
case RTM_ADD:
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
ru@sunbay.com Sunbay Software AG,
ru@FreeBSD.org FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010830204132.A47482>