From owner-freebsd-security  Thu Jul 26 19:31:24 2001
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 5DB0C37B403
	for <security@FreeBSD.ORG>; Thu, 26 Jul 2001 19:31:21 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 40371 invoked by uid 1000); 27 Jul 2001 02:31:20 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 27 Jul 2001 02:31:20 -0000
Date: Thu, 26 Jul 2001 21:31:20 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>
Cc: <security@FreeBSD.ORG>
Subject: Re: accounting with ipfw (gid, uid riles)
In-Reply-To: <7167463367.20010726172101@internethelp.ru>
Message-ID: <20010726212826.J40333-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Thu, 26 Jul 2001, Nickolay A.Kritsky wrote:

> 01010 count ip from any to 212.113.112.145 via rl0
> 01010 count ip from 212.113.112.145 to any via rl0
> 01010 count ip from any to 212.113.112.145 uid nobody via rl0
> 01010 count ip from any to 212.113.112.145 uid root via rl0
> 01010 count ip from any to 212.113.112.145 uid httpd via rl0
> 01010 count ip from any to 212.113.112.145 uid ftp via rl0

The uid associated with a socket is the uid of the process which created
it.  So, when apache creates a socket as root, then hands it off to one of
the httpd processes, it's still accounted to root.  This should be true
for any socket running on a port < 1024, as they have to be allocated as
root.

So, you're going to have to account by port numbers.  In httpd's case,
that shouldn't be a problem.  In ftp's case, that's another story.

FWIW, I had a patch which made the uid switch during accept on -current,
but I figured that there were some subtle security-related problems with
it and subsequently pigeonholed it.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message