From owner-freebsd-security  Fri Jul 27 20:43: 4 2001
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 82D7237B403
	for <security@FreeBSD.ORG>; Fri, 27 Jul 2001 20:43:01 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 43863 invoked by uid 1000); 28 Jul 2001 03:43:00 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 28 Jul 2001 03:43:00 -0000
Date: Fri, 27 Jul 2001 22:43:00 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>
Cc: <security@FreeBSD.ORG>
Subject: Re[2]: accounting with ipfw (gid, uid riles)
In-Reply-To: <15993079421.20010727191853@internethelp.ru>
Message-ID: <20010727223026.D43808-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Fri, 27 Jul 2001, Nickolay A.Kritsky wrote:

> do you mean that after this code:
> //----------------------------------------------------------------
> setuid(0);
> s=socket(...);
> listen(s,1);
> if (fork()!=-1)
> {
> setuid(1);
> k=accept(s);
> }
> //----------------------------------------------------------------
> socket pointed by k will be "owned" by root?

Yes.

> Anyway, it is not the main point of my question. Accounting httpd
> traffic is just a piece of cake - the port is fixed, the address is
> fixed. But I wanted to count Squid traffic. AFAIK Squid does not any
> setuid() voodoo, except for priviledges drop at startup. After that it
> runs strictly uid 'nobody'. But squid's traffic doesn't hit the
> counter!!! I wonder why. Maybe it is because of natd running on outer
> interface? But why then some packets hit the counter?

If squid runs the listen as root, all sockets created from that listen
socket will also be accounted to root.  Same problem as the above.  I do
not know how natd would affect connections in terms of uid accounting.

Bug Robert Watson about this, the uid accounting is related to the
jail/acl/mac/etc stuff which he has / will be working on.  He could tell
you if the uid can be changed at the accept handoff or not.

> Sorry, but what does FWIW mean?

"For what it's worth"

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message