Date: Tue, 21 Aug 2001 18:24:10 -0500 (CDT) From: "c.s. (maneo) peron" <maneo@icmp.dhs.org> To: <freebsd-security@freebsd.org> Subject: inet socket restriction via group Message-ID: <20010821182214.H81525-100000@icmp.dhs.org>
next in thread | raw e-mail | index | archive | help
greetings; This is something that i use on a daily basis. I have heard people asking questions on how they might restrict members from a certain group from creating INET sockets. This is a little something I hacked together. Iam currently working on another method of doing this; one that does not rely on the sysctl mechanism. We will see how that goes. But for now.. add "options RESTRICT_SOCKS" to your kernel config Its not complicated, i know there are probably some better ways of going about doing this. However it works. After applying the patches & recompiling your kernel, you will see the following variables in the sysctl: % sysctl -a | grep No kern.ipc.NoInetSocks: 0 kern.ipc.NoInet_GID: 65534 % simply turn the variable on by setting it to 1. Then specify the group you want to restrict. some of you might think its crap, other may find it usefull. Cheers c.s. (maneo) peron snip ---< snip ---< snip ---< options patch *** /usr/src/alpha/sys/conf/options Thu Aug 2 19:47:27 2001 --- /usr/src/sys/conf/options Sat Aug 18 11:29:30 2001 *************** *** 268,273 **** --- 268,274 ---- PPP_DEFLATE opt_ppp.h PPP_FILTER opt_ppp.h RANDOM_IP_ID + RESTRICT_SOCKS opt_resocks.h SLIP_IFF_OPTS opt_slip.h TCPDEBUG TCP_DROP_SYNFIN opt_tcp_input.h snip ---< snip ---< snip ---< uipc_socket.c patch *** uipc_socket.c.orig Thu Jun 14 15:46:06 2001 --- uipc_socket.c Tue Aug 21 10:21:58 2001 *************** *** 35,40 **** --- 35,41 ---- */ #include "opt_inet.h" + #include "opt_resocks.h" #include <sys/param.h> #include <sys/systm.h> *************** *** 89,94 **** --- 90,120 ---- SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW, &somaxconn, 0, "Maximum pending socket connection queue size"); + #if (defined(RESTRICT_SOCKS)) + /* + * define the sysctl(8) mechanisms that will enable + * the restriction of a certain group member(s) + * from creating network sockets, to prevent potentially + * abusive users from using the system as a springboard. + */ + static int NoInetSocks = 0; /* default to 'off' */ + gid_t NoInet_GID = 65534; /* default to group 'nobody' */ + + SYSCTL_INT(_kern_ipc, + OID_AUTO, + NoInetSocks, + CTLFLAG_RW, + &NoInetSocks, + 0,"AF_INET socket restriction via GID"); + + SYSCTL_INT(_kern_ipc, + OID_AUTO, + NoInet_GID, + CTLFLAG_RW, + &NoInet_GID, + 0,"GID to be restricted"); + #endif /* RESTRICT SOCKS */ + /* * Socket operation routines. * These routines are called by the routines in *************** *** 132,137 **** --- 158,172 ---- register struct protosw *prp; register struct socket *so; register int error; + + #if (defined(RESTRICT_SOCKS)) + if (dom == AF_INET && NoInetSocks) { + if (groupmember(NoInet_GID, (struct ucred *)p->p_cred)) { + uprintf("socreate(AF_INET) - disabled\n"); + return(EPERM); + } + } + #endif /* RESTRICT_SOCKS */ if (proto) prp = pffindproto(dom, proto, type); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010821182214.H81525-100000>