Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 8 Oct 2001 16:35:31 -0400 (EDT)
From:      Robert Watson <rwatson@freebsd.org>
To:        Terry Lambert <tlambert2@mindspring.com>
Cc:        hackers@freebsd.org, net@freebsd.org
Subject:   Re: IPSEC code error
Message-ID:  <Pine.NEB.3.96L.1011008163422.93151O-100000@fledge.watson.org>
In-Reply-To: <3BBEC607.CC098104@mindspring.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I haven't reviewed that particular piece of code for correctness, but
noticed that the caching of the privilege check there actually does cause
problems for a variety of reasons in my work.  I'd much rather individual
uses of suser() appeared in the netinet6 tree, and that appropriate
context for the check was passed down the stack to where the knowledge of
privilege is needed, rather than just the flag.  Sometime, I'll get around
to some diffs.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services

On Sat, 6 Oct 2001, Terry Lambert wrote:

> On a related topic, there appears to be a code error in the
> IPSEC code.
> 
> Specifically, the priv flag is set to 1 if the user is root
> and the socket is non-null (this lets the code be called
> from the bridging code as well, so ignore the first half of
> the "if" test, and concentrate on the "uid == 0" test).
> 
> In the code that examines this flag, the comment is that it
> is looking at whether or not the port is a priviledged port,
> not whether or not the user who owns it is root.
> 
> This implies that the "rootness" check improperly flags any
> ports opened by root, regardless of whether or not they are
> priviledged ports.
> 
> Is the code where the flag is initialized correct, or is the
> comment where the flag is observed correct?
> 
> -- Terry
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1011008163422.93151O-100000>