From owner-freebsd-security@FreeBSD.ORG  Sun Nov 21 21:27:59 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 16DA616A4CE; Sun, 21 Nov 2004 21:27:59 +0000 (GMT)
Received: from ss.eunet.cz (ss.eunet.cz [212.47.7.215])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4957443D39; Sun, 21 Nov 2004 21:27:58 +0000 (GMT)
	(envelope-from mime@traveller.cz)
Received: from [127.0.0.1] (ss [212.47.7.215])
	by ss.eunet.cz (8.13.1/8.13.1) with ESMTP id iALLRuHG063751;
	Sun, 21 Nov 2004 22:27:56 +0100 (CET)
	(envelope-from mime@traveller.cz)
Message-ID: <41A1085B.6000807@traveller.cz>
Date: Sun, 21 Nov 2004 22:27:55 +0100
From: Michal Mertl <mime@traveller.cz>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; cs-CZ; rv:1.7.3) Gecko/20041117
X-Accept-Language: cs, en-us, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Content-Transfer-Encoding: 7bit
cc: rwatson@freebsd.org
Subject: mac_portacl and automatic port allocation
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Nov 2004 21:27:59 -0000

Hello,

I really like the idea behind mac_portacl but I find it difficult to use 
it because of one issue. When an unprivileged program binds to high 
automatic port with a call to bind(2) and port number set to 0 the 
system chooses the port to bind to itself. This mechanismus is used by 
number of programs, most commonly by ftp clients in active mode. 
Unfortunately this 0 is checked by the mac_portacl(4) module and the 
call to bind is refused. Rather simple fix would be to check if the 
local port is 0 and user hasn't asked for IP_PORTRANGE_LOW and then 
allow the call to trivially succeed. It can be controlled by a sysctl if 
needed.

What do you think of the patch below?


Index: mac_portacl.c
===================================================================
RCS file: /home/fcvs/cvs/src/sys/security/mac_portacl/mac_portacl.c,v
retrieving revision 1.5
diff -u -r1.5 mac_portacl.c
--- mac_portacl.c       15 May 2004 20:55:19 -0000      1.5
+++ mac_portacl.c       21 Nov 2004 21:25:49 -0000
@@ -79,6 +79,7 @@
 #include <sys/sysctl.h>
 
 #include <netinet/in.h>
+#include <netinet/in_pcb.h>
 
 #include <vm/vm.h>
 
@@ -441,6 +442,7 @@
     struct label *socketlabel, struct sockaddr *sockaddr)
 {
        struct sockaddr_in *sin;
+       struct inpcb       *inp = sotoinpcb(so);
        int family, type;
        u_int16_t port;
 
@@ -467,6 +469,11 @@
        type = so->so_type;
        sin = (struct sockaddr_in *) sockaddr;
        port = ntohs(sin->sin_port);
+       /* If port == 0 and user hasn't asked for IP_PORTRANGELOW return
+       success */
+       printf("mac_portacl: port %d, inp_flags: 0x%X\n", port, 
inp->inp_flags);
+       if (port == 0 && (inp->inp_flags & INP_LOWPORT) == 0)
+               return (0);
 
        return (rules_check(cred, family, type, port));
 }
----------------

Best regards

-- 
Michal Mertl