Date: Thu, 26 Jul 2001 21:31:20 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru> Cc: <security@FreeBSD.ORG> Subject: Re: accounting with ipfw (gid, uid riles) Message-ID: <20010726212826.J40333-100000@achilles.silby.com> In-Reply-To: <7167463367.20010726172101@internethelp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Jul 2001, Nickolay A.Kritsky wrote: > 01010 count ip from any to 212.113.112.145 via rl0 > 01010 count ip from 212.113.112.145 to any via rl0 > 01010 count ip from any to 212.113.112.145 uid nobody via rl0 > 01010 count ip from any to 212.113.112.145 uid root via rl0 > 01010 count ip from any to 212.113.112.145 uid httpd via rl0 > 01010 count ip from any to 212.113.112.145 uid ftp via rl0 The uid associated with a socket is the uid of the process which created it. So, when apache creates a socket as root, then hands it off to one of the httpd processes, it's still accounted to root. This should be true for any socket running on a port < 1024, as they have to be allocated as root. So, you're going to have to account by port numbers. In httpd's case, that shouldn't be a problem. In ftp's case, that's another story. FWIW, I had a patch which made the uid switch during accept on -current, but I figured that there were some subtle security-related problems with it and subsequently pigeonholed it. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010726212826.J40333-100000>