Date: Fri, 27 Jul 2001 19:18:53 +0400 From: "Nickolay A.Kritsky" <nkritsky@internethelp.ru> To: Mike Silbersack <silby@silby.com> Cc: security@FreeBSD.ORG Subject: Re[2]: accounting with ipfw (gid, uid riles) Message-ID: <15993079421.20010727191853@internethelp.ru> In-Reply-To: <20010726212826.J40333-100000@achilles.silby.com> References: <20010726212826.J40333-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Mike,
Friday, July 27, 2001, 6:31:20 AM, you wrote:
MS> On Thu, 26 Jul 2001, Nickolay A.Kritsky wrote:
>> 01010 count ip from any to 212.113.112.145 via rl0
>> 01010 count ip from 212.113.112.145 to any via rl0
>> 01010 count ip from any to 212.113.112.145 uid nobody via rl0
>> 01010 count ip from any to 212.113.112.145 uid root via rl0
>> 01010 count ip from any to 212.113.112.145 uid httpd via rl0
>> 01010 count ip from any to 212.113.112.145 uid ftp via rl0
MS> The uid associated with a socket is the uid of the process which created
MS> it. So, when apache creates a socket as root, then hands it off to one of
MS> the httpd processes, it's still accounted to root. This should be true
MS> for any socket running on a port < 1024, as they have to be allocated as
MS> root.
do you mean that after this code:
//----------------------------------------------------------------
setuid(0);
s=socket(...);
listen(s,1);
if (fork()!=-1)
{
setuid(1);
k=accept(s);
}
.
.
.
//----------------------------------------------------------------
socket pointed by k will be "owned" by root?
Anyway, it is not the main point of my question. Accounting httpd
traffic is just a piece of cake - the port is fixed, the address is
fixed. But I wanted to count Squid traffic. AFAIK Squid does not any
setuid() voodoo, except for priviledges drop at startup. After that it
runs strictly uid 'nobody'. But squid's traffic doesn't hit the
counter!!! I wonder why. Maybe it is because of natd running on outer
interface? But why then some packets hit the counter?
MS> So, you're going to have to account by port numbers. In httpd's case,
MS> that shouldn't be a problem. In ftp's case, that's another story.
in squid's case it is just impossible :\ . All I can think about so
far, is adding alias interface, bind squid to this interface and count
with host src and dst fields, but adding another alias network
interface every time I add some new daemon, and want to account his
traffic, looks a little funny. IMHO, it looks just awful.
MS> FWIW, I had a patch which made the uid switch during accept on -current,
MS> but I figured that there were some subtle security-related problems with
MS> it and subsequently pigeonholed it.
Sorry, but what does FWIW mean?
MS> Mike "Silby" Silbersack
MS> To Unsubscribe: send mail to majordomo@FreeBSD.org
MS> with "unsubscribe freebsd-security" in the body of the message
;-------------------------------------------
; NKritsky
; SysAdmin InternetHelp.Ru
; http://www.internethelp.ru
; mailto:nkritsky@internethelp.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15993079421.20010727191853>