Date: Fri, 27 Jul 2001 19:18:53 +0400 From: "Nickolay A.Kritsky" <nkritsky@internethelp.ru> To: Mike Silbersack <silby@silby.com> Cc: security@FreeBSD.ORG Subject: Re[2]: accounting with ipfw (gid, uid riles) Message-ID: <15993079421.20010727191853@internethelp.ru> In-Reply-To: <20010726212826.J40333-100000@achilles.silby.com> References: <20010726212826.J40333-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Mike, Friday, July 27, 2001, 6:31:20 AM, you wrote: MS> On Thu, 26 Jul 2001, Nickolay A.Kritsky wrote: >> 01010 count ip from any to 212.113.112.145 via rl0 >> 01010 count ip from 212.113.112.145 to any via rl0 >> 01010 count ip from any to 212.113.112.145 uid nobody via rl0 >> 01010 count ip from any to 212.113.112.145 uid root via rl0 >> 01010 count ip from any to 212.113.112.145 uid httpd via rl0 >> 01010 count ip from any to 212.113.112.145 uid ftp via rl0 MS> The uid associated with a socket is the uid of the process which created MS> it. So, when apache creates a socket as root, then hands it off to one of MS> the httpd processes, it's still accounted to root. This should be true MS> for any socket running on a port < 1024, as they have to be allocated as MS> root. do you mean that after this code: //---------------------------------------------------------------- setuid(0); s=socket(...); listen(s,1); if (fork()!=-1) { setuid(1); k=accept(s); } . . . //---------------------------------------------------------------- socket pointed by k will be "owned" by root? Anyway, it is not the main point of my question. Accounting httpd traffic is just a piece of cake - the port is fixed, the address is fixed. But I wanted to count Squid traffic. AFAIK Squid does not any setuid() voodoo, except for priviledges drop at startup. After that it runs strictly uid 'nobody'. But squid's traffic doesn't hit the counter!!! I wonder why. Maybe it is because of natd running on outer interface? But why then some packets hit the counter? MS> So, you're going to have to account by port numbers. In httpd's case, MS> that shouldn't be a problem. In ftp's case, that's another story. in squid's case it is just impossible :\ . All I can think about so far, is adding alias interface, bind squid to this interface and count with host src and dst fields, but adding another alias network interface every time I add some new daemon, and want to account his traffic, looks a little funny. IMHO, it looks just awful. MS> FWIW, I had a patch which made the uid switch during accept on -current, MS> but I figured that there were some subtle security-related problems with MS> it and subsequently pigeonholed it. Sorry, but what does FWIW mean? MS> Mike "Silby" Silbersack MS> To Unsubscribe: send mail to majordomo@FreeBSD.org MS> with "unsubscribe freebsd-security" in the body of the message ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15993079421.20010727191853>