From owner-freebsd-net Thu Aug 30 10:43: 5 2001 Delivered-To: freebsd-net@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id BCEEC37B403; Thu, 30 Aug 2001 10:42:52 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f7UHfWs48175; Thu, 30 Aug 2001 20:41:32 +0300 (EEST) (envelope-from ru) Date: Thu, 30 Aug 2001 20:41:32 +0300 From: Ruslan Ermilov To: Garrett Wollman Cc: net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Proposed change to route(4) sockets to make them available to non-superuser Message-ID: <20010830204132.A47482@sunbay.com> References: <20010830145840.A1554@sunbay.com> <200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108301533.f7UFXYT64952@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Thu, Aug 30, 2001 at 11:33:34AM -0400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Aug 30, 2001 at 11:33:34AM -0400, Garrett Wollman wrote: > < said: > > > raw_uattach(struct socket *so, int proto, struct proc *p) > > { > > struct rawcb *rp = sotorawcb(so); > > - int error; > > > if (rp == 0) > > return EINVAL; > > - if (p && (error = suser(p)) != 0) > > - return error; > > return raw_attach(so, proto); > > } > > This allows *anyone* to open any raw socket. This change should not > be made; use a specialized route_uattach instead. > Not any, as almost all domains don't use raw_usrreqs, but you are of course right. At least PF_KEY_V2 raw sockets were affected. > > + if (rtm->rtm_type != RTM_GET && suser(curproc) != 0) > > Ick. I worked hard several years ago to get rid of all references to > `curproc' in the network stack; I'm none too pleased to see them > coming back. Since we already save the credentials of the process > which opened the socket, we should do the access-control on the basis > of those credentials, not on the basis of the process that happens to > be running. (Consider, for example, a daemon which opens its sockets > and then changes credentials for safety.) > How about this one (kernel part only)? Index: rtsock.c =================================================================== RCS file: /home/ncvs/src/sys/net/rtsock.c,v retrieving revision 1.55 diff -u -p -r1.55 rtsock.c --- rtsock.c 2001/08/02 19:56:29 1.55 +++ rtsock.c 2001/08/30 17:37:56 @@ -123,7 +123,7 @@ rts_attach(struct socket *so, int proto, */ s = splnet(); so->so_pcb = (caddr_t)rp; - error = raw_usrreqs.pru_attach(so, proto, p); + error = raw_attach(so, proto); rp = sotorawcb(so); if (error) { splx(s); @@ -326,6 +326,14 @@ route_output(m, so) else senderr(ENOBUFS); } + + /* + * Verify that the caller has the appropriate privilege; RTM_GET + * is the only operation the non-superuser is allowed. + */ + if (rtm->rtm_type != RTM_GET && so->so_cred->cr_uid != 0) + senderr(EACCES); + switch (rtm->rtm_type) { case RTM_ADD: Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message