Date: Wed, 27 May 2009 08:09:49 -0400 From: John Baldwin <jhb@freebsd.org> To: freebsd-arch@freebsd.org Cc: trasz@freebsd.org, adrian@freebsd.org, Pawel Jakub Dawidek <pjd@freebsd.org>, Julian Elischer <julian@elischer.org> Subject: Re: IP_NONLOCALOK improvements. Message-ID: <200905270809.50275.jhb@freebsd.org> In-Reply-To: <20090527065121.GD4204@garage.freebsd.pl> References: <20090526135547.GE1491@garage.freebsd.pl> <4A1CD562.9040706@elischer.org> <20090527065121.GD4204@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 27 May 2009 2:51:21 am Pawel Jakub Dawidek wrote: > > I know how useful this is to have, (from my own experience) > > but feel strongly that this is pretty bad behaviour for most systems > > and can facilitate all sorts security worries. > > Well, this is behaviour is similar to adding an IP address to an > interface and binding to that address. There is even no securelevel that > denies modifing interfaces, so in my opinion if one needs to explicitly > ask for this to be enabled for a socket and one needs a special > privilege to do it, it should be enough protection to make user's live a > bit less complex by not requiring kernel recompilation and sysctl > modification. > > I'm not sure if this was on purpose, but currently even unprivileged > user can use this functionality if the sysctl is on, which I find hard > to accept. Having this always enabled and requiring a privilege is IMHO > more secure than allowing anyone to use it once the sysctl is on. > But again, combining the two (privilege and sysctl) is redundant IMHO. I think it is fine to have it in the kernel by default if it is restricted by privilege. I also agree that a root user could already accomplish this by adding an alias to the desired interface and then binding the socket (and then removing the alias if desired). -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200905270809.50275.jhb>