Date: Sun, 9 Aug 2015 15:08:01 +0200 From: Ed Schouten <ed@nuxi.nl> To: Alexander Kabaev <kabaev@gmail.com> Cc: Ed Schouten <ed@freebsd.org>, src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r285910 - in head: lib/libc/sys sys/kern sys/sys Message-ID: <CABh_MKm-CfUNJffcLX%2Bdfb08sAtO4UPrtytOoQ9k-8NNVXPGUQ@mail.gmail.com> In-Reply-To: <20150809085545.0beef79b@kan> References: <201507271317.t6RDHwpj067194@repo.freebsd.org> <20150808150539.0b43cfcd@kan> <CABh_MK=PjDUh73aPEX5yTdkgCJ--3NwKV7ZS6KvP5GYfOU1aYw@mail.gmail.com> <20150809085545.0beef79b@kan>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Alexander, 2015-08-09 14:55 GMT+02:00 Alexander Kabaev <kabaev@gmail.com>: > On Sun, 9 Aug 2015 09:37:13 +0200 > It most definitely does work, this is what I have done to get my > network scripts work again. I wonder if there are other means of > restricting raw sockets that can be used to achieve the result > authors of rtsold had hoped or? Yes, there sure are. We could for example call cap_rights_limit() on the socket and whitelist the exacty set of actions that the program needs. That said, it wouldn't make a difference in the end. It looks like rtsol/rtsold don't seem to drop any privileges or switch credentials after startup, assuming I haven't overlooked anything. Even if we were to restrict the raw socket, the process could always open a new one later on. I think it would make sense for now to just commit the patch that I proposed. Will push it into the tree tomorrow. Thanks, -- Ed Schouten <ed@nuxi.nl> Nuxi, 's-Hertogenbosch, the Netherlands KvK/VAT number: 62051717
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABh_MKm-CfUNJffcLX%2Bdfb08sAtO4UPrtytOoQ9k-8NNVXPGUQ>