From owner-freebsd-arch@FreeBSD.ORG Sat May 8 06:23:59 2004 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3924316A4D2; Sat, 8 May 2004 06:23:59 -0700 (PDT) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7E0B43D3F; Sat, 8 May 2004 06:23:57 -0700 (PDT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.12.9p2/8.12.9) with ESMTP id i48DNu3F046266; Sat, 8 May 2004 17:23:56 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.12.9p2/8.12.9/Submit) id i48DNtvn046265; Sat, 8 May 2004 17:23:55 +0400 (MSD) (envelope-from yar) Date: Sat, 8 May 2004 17:23:54 +0400 From: Yar Tikhiy To: "Bjoern A. Zeeb" Message-ID: <20040508132354.GB44214@comp.chem.msu.su> References: <20040508034514.GA937@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i cc: arch@freebsd.org cc: Eugene Grosbein cc: net@freebsd.org Subject: Re: bin/65928: [PATCH] stock ftpd uses superuser credentials for active mode sockets X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 May 2004 13:23:59 -0000 On Sat, May 08, 2004 at 06:40:41AM +0000, Bjoern A. Zeeb wrote: > > > When an active IPv4 TCP connection between > > localIP:localport and remoteIP1:remoteport1 exists, > > it is not possible for local non-root user to create outgoing > > TCP connection from localIP:localport to remoteIP2:remoteport2. > > > > Why? It prevents http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/65928 > > from resolving. > > to do it with other wording: > > if in active mode data is send to remote, the server uses ftp-data > as port (which is 20 [ftp(21)-1]) and you are running into creating > a socket in the privileged port range: > net.inet.ip.portrange.reservedlow to net.inet.ip.portrange.reservedhigh > which "only may be opened by root-owned processes" [ip(4)]. Not exactly. The right to bind a socket to a priviliged port is verified against the process credentials, with suser() and at a different point in the code. Eugene is talking about socket credentials, so_cred, and their use in preventing port stealth. It's a different thing, it applies to any port number. The code in question is in file sys/netinet/in_pcb.c, function in_pcbbind(): if (so->so_cred->cr_uid != 0 && !IN_MULTICAST(ntohl(sin->sin_addr.s_addr))) { t = in_pcblookup_local(inp->inp_pcbinfo, sin->sin_addr, lport, prison ? 0 : INPLOOKUP_WILDCARD); if (t && ... My investigation shows that the problem is somewhat tangled. On the one hand, it has to do with the way in_pcblookup_local() is invoked to check for possible port stealth. The function takes the last on/off argument "wild_okay" instructing it whether to consider connected sockets along with unconnected ones. This argument is set to 1 by the code in question unless we're in jail. Consequently, the function can match established connections. On the other hand, "wild_okay" can't just be set to constant 0 there because in this case in_pcblookup_local() would not match connections with the local wildcard address. Perhaps, yet another "if" needs to be added to check if the existing inpcb found is not connected yet. Another point to note here is that for a UDP inpcb having the foreign address set to something different from INADDR_ANY doesn't mean the inpcb is actually connected. -- Yar