From owner-freebsd-arch@FreeBSD.ORG Wed May 27 15:42:28 2009 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF4C21065674; Wed, 27 May 2009 15:42:28 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 79E948FC1B; Wed, 27 May 2009 15:42:28 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net [66.111.2.69]) by cyrus.watson.org (Postfix) with ESMTPSA id EBF8846B0C; Wed, 27 May 2009 11:42:27 -0400 (EDT) Received: from jhbbsd.hudson-trading.com (unknown [209.249.190.8]) by bigwig.baldwin.cx (Postfix) with ESMTPA id 946098A028; Wed, 27 May 2009 11:42:26 -0400 (EDT) From: John Baldwin To: freebsd-arch@freebsd.org Date: Wed, 27 May 2009 08:09:49 -0400 User-Agent: KMail/1.9.7 References: <20090526135547.GE1491@garage.freebsd.pl> <4A1CD562.9040706@elischer.org> <20090527065121.GD4204@garage.freebsd.pl> In-Reply-To: <20090527065121.GD4204@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200905270809.50275.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (bigwig.baldwin.cx); Wed, 27 May 2009 11:42:26 -0400 (EDT) X-Virus-Scanned: clamav-milter 0.95 at bigwig.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=4.2 tests=AWL,BAYES_00, DATE_IN_PAST_03_06,RDNS_NONE autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bigwig.baldwin.cx Cc: trasz@freebsd.org, adrian@freebsd.org, Pawel Jakub Dawidek , Julian Elischer Subject: Re: IP_NONLOCALOK improvements. X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 15:42:29 -0000 On Wednesday 27 May 2009 2:51:21 am Pawel Jakub Dawidek wrote: > > I know how useful this is to have, (from my own experience) > > but feel strongly that this is pretty bad behaviour for most systems > > and can facilitate all sorts security worries. > > Well, this is behaviour is similar to adding an IP address to an > interface and binding to that address. There is even no securelevel that > denies modifing interfaces, so in my opinion if one needs to explicitly > ask for this to be enabled for a socket and one needs a special > privilege to do it, it should be enough protection to make user's live a > bit less complex by not requiring kernel recompilation and sysctl > modification. > > I'm not sure if this was on purpose, but currently even unprivileged > user can use this functionality if the sysctl is on, which I find hard > to accept. Having this always enabled and requiring a privilege is IMHO > more secure than allowing anyone to use it once the sysctl is on. > But again, combining the two (privilege and sysctl) is redundant IMHO. I think it is fine to have it in the kernel by default if it is restricted by privilege. I also agree that a root user could already accomplish this by adding an alias to the desired interface and then binding the socket (and then removing the alias if desired). -- John Baldwin