Date: Fri, 27 Jul 2001 22:43:00 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru> Cc: <security@FreeBSD.ORG> Subject: Re[2]: accounting with ipfw (gid, uid riles) Message-ID: <20010727223026.D43808-100000@achilles.silby.com> In-Reply-To: <15993079421.20010727191853@internethelp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 27 Jul 2001, Nickolay A.Kritsky wrote:
> do you mean that after this code:
> //----------------------------------------------------------------
> setuid(0);
> s=socket(...);
> listen(s,1);
> if (fork()!=-1)
> {
> setuid(1);
> k=accept(s);
> }
> //----------------------------------------------------------------
> socket pointed by k will be "owned" by root?
Yes.
> Anyway, it is not the main point of my question. Accounting httpd
> traffic is just a piece of cake - the port is fixed, the address is
> fixed. But I wanted to count Squid traffic. AFAIK Squid does not any
> setuid() voodoo, except for priviledges drop at startup. After that it
> runs strictly uid 'nobody'. But squid's traffic doesn't hit the
> counter!!! I wonder why. Maybe it is because of natd running on outer
> interface? But why then some packets hit the counter?
If squid runs the listen as root, all sockets created from that listen
socket will also be accounted to root. Same problem as the above. I do
not know how natd would affect connections in terms of uid accounting.
Bug Robert Watson about this, the uid accounting is related to the
jail/acl/mac/etc stuff which he has / will be working on. He could tell
you if the uid can be changed at the accept handoff or not.
> Sorry, but what does FWIW mean?
"For what it's worth"
Mike "Silby" Silbersack
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010727223026.D43808-100000>