From owner-freebsd-security Tue Aug 21 16:47:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from femail22.sdc1.sfba.home.com (femail22.sdc1.sfba.home.com [24.0.95.147]) by hub.freebsd.org (Postfix) with ESMTP id 147CE37B414 for ; Tue, 21 Aug 2001 16:46:54 -0700 (PDT) (envelope-from maneo@icmp.dhs.org) Received: from icmp.dhs.org ([64.59.160.69]) by femail22.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20010821234653.BOMP15281.femail22.sdc1.sfba.home.com@icmp.dhs.org> for ; Tue, 21 Aug 2001 16:46:53 -0700 Date: Tue, 21 Aug 2001 18:47:09 -0500 (CDT) From: "c.s. (maneo) peron" To: Subject: Re: inet socket restriction via group (fwd) Message-ID: <20010821184631.H13462-100000@icmp.dhs.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org True you could use ipfw, however i dont believe you can filter a group when using ipf. (correct me if iam wrong) Furthermore, I posted the wrong uipc_socket.c patch :( the other one was no good. This one should work. snip ---< snip ---< snip ---< options patch *** /usr/src/alpha/sys/conf/options Thu Aug 2 19:47:27 2001 --- /usr/src/sys/conf/options Sat Aug 18 11:29:30 2001 *************** *** 268,273 **** --- 268,274 ---- PPP_DEFLATE opt_ppp.h PPP_FILTER opt_ppp.h RANDOM_IP_ID + RESTRICT_SOCKS opt_resocks.h SLIP_IFF_OPTS opt_slip.h TCPDEBUG TCP_DROP_SYNFIN opt_tcp_input.h snip ---< snip ---< snip ---< uipc_socket.c patch *** uipc_socket.c.orig Thu Jun 14 15:46:06 2001 --- uipc_socket.c Tue Aug 21 10:21:58 2001 *************** *** 35,40 **** --- 35,41 ---- */ #include "opt_inet.h" + #include "opt_resocks.h" #include #include *************** *** 89,94 **** --- 90,120 ---- SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW, &somaxconn, 0, "Maximum pending socket connection queue size"); + #if (defined(RESTRICT_SOCKS)) + /* + * define the sysctl(8) mechanisms that will enable + * the restriction of a certain group member(s) + * from creating network sockets, to prevent potentially + * abusive users from using the system as a springboard. + */ + static int NoInetSocks = 0; /* default to 'off' */ + gid_t NoInet_GID = 65534; /* default to group 'nobody' */ + + SYSCTL_INT(_kern_ipc, + OID_AUTO, + NoInetSocks, + CTLFLAG_RW, + &NoInetSocks, + 0,"AF_INET socket restriction via GID"); + + SYSCTL_INT(_kern_ipc, + OID_AUTO, + NoInet_GID, + CTLFLAG_RW, + &NoInet_GID, + 0,"GID to be restricted"); + #endif /* RESTRICT SOCKS */ + /* * Socket operation routines. * These routines are called by the routines in *************** *** 132,137 **** --- 158,172 ---- register struct protosw *prp; register struct socket *so; register int error; + + #if (defined(RESTRICT_SOCKS)) + if (dom == AF_INET && NoInetSocks) { + if (p->p_cred->p_rgid == NoInet_GID) { + uprintf("socreate(AF_INET) - disabled\n"); + return(EPERM); + } + } + #endif /* RESTRICT_SOCKS */ if (proto) prp = pffindproto(dom, proto, type); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message