Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 19 Jun 1999 00:15:15 -0700 (PDT)
From:      Allan Saddi <asaddi@philosophysw.com>
To:        Frank Tobin <ftobin@bigfoot.com>
Cc:        FreeBSD-security Mailing List <freebsd-security@FreeBSD.ORG>
Subject:   Re: proposed secure-level 4 patch
Message-ID:  <Pine.BSF.4.10.9906190006320.20141-200000@shell2.ba.best.com>
In-Reply-To: <Pine.BSF.4.10.9906190053050.60212-200000@srh0710.urh.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Sat, 19 Jun 1999, Frank Tobin wrote:

> Okay, a good friend of mine Kris Wehner has written a patch to implement
> the proposed securelevel of 4, which would disallow the opening of
> secure ports (<1024) while in the securelevel of 4.

About the implementation of this feature... shouldn't the function
in_pcbbind() in netinet/in_pcb.c be modified instead? This will eliminate
having to check whether the protocol in question is IP. Also, it seems
like an ideal place for this patch since this is where the priviledge
check is made for binding ports <1024.

I've included a similar patch which should accomplish the same thing. A
caveat though: I did not test this, nor did I even try to compile it. I
just created it to serve as a guide. It should be easy to whip it into
shape, if needs be...

-- 
Allan Saddi                         "The Earth is the cradle of mankind,
asaddi@philosophysw.com              but we cannot live in the cradle
http://www.philosophysw.com/asaddi/  forever." - K.E. Tsiolkovsky

[-- Attachment #2 --]
--- /usr/src/sys/netinet/in_pcb.c	Mon Dec  7 13:58:37 1998
+++ in_pcb.c	Sat Jun 19 00:03:54 1999
@@ -194,9 +194,12 @@
 			struct inpcb *t;
 
 			/* GROSS */
-			if (ntohs(lport) < IPPORT_RESERVED && p &&
-			    suser(p->p_ucred, &p->p_acflag))
-				return (EACCES);
+			if (ntohs(lport) < IPPORT_RESERVED) {
+				if (securelevel >= 4)
+					return (EACCES);
+				if (p && suser(p->p_ucred, &p->p_acflag))
+					return (EACCES);
+			}
 			if (so->so_uid &&
 			    !IN_MULTICAST(ntohl(sin->sin_addr.s_addr))) {
 				t = in_pcblookup_local(inp->inp_pcbinfo,

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9906190006320.20141-200000>