From owner-freebsd-net@FreeBSD.ORG Mon Oct 11 19:23:08 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F300016A4CE; Mon, 11 Oct 2004 19:23:07 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8874143D1F; Mon, 11 Oct 2004 19:23:07 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id i9BJLYOg053652; Mon, 11 Oct 2004 15:21:34 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i9BJLGQN053647; Mon, 11 Oct 2004 15:21:34 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 11 Oct 2004 15:21:16 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: swp@swp.pp.ru In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org cc: csjp@freebsd.org Subject: IP options broken for raw sockets on cred downgrade (was: Re: why required root privileges to set multicast options now?) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Oct 2004 19:23:08 -0000 On Sun, 10 Oct 2004, Robert Watson wrote: > On Sun, 10 Oct 2004 swp@swp.pp.ru wrote: > > > FreeBSD 5.3-BETA7 Sun Oct 10 18:50:14 OMSST 2004 > > > > ospfd (net/quagga from ports) run with credentials of quagga:quagga and > > unable to set multicast options now. > > > > OSPF: can't setsockopt IP_ADD_MEMBERSHIP (AllSPFRouters): \ > > Operation not permitted > > OSPF: can't setsockopt IP_MULTICAST_LOOP(0): Operation not permitted > > OSPF: can't setsockopt IP_MULTICAST_TTL(1): Operation not permitted > > OSPF: can't setsockopt IP_MULTICAST_IF: Operation not permitted > > > > 5.2-CURRENT and 5.2.1 have no problem. > > This appears to have been introduced as a result of changes to permit > root to bind raw sockets in jail. In particular, the likely control > flow path to get the above errors was to perform setsockopt() on a UDP > socket, which probaly works its way down to in_control() to > ip_ctloutput(). This would also explain why sdr stopped working for me > a little while ago (I figured it was a bad package build). I've CC'd > Christian as he might have some insight into how to clean this up. The bug is now neatly illustrated by the ipsockopt regression test: 6.x: paprika# ./ipsockopt Running tests with ruid 0 euid 0 sock uid 0 Running tests with ruid 0 euid 65534 sock uid 65534 Running tests with ruid 0 euid 65534 sock uid 0 ipsockopt: test_ip_uchar(SOCK_RAW, IP_TOS): initial getsockopt(): Operation not permitted 5.x: Running tests with ruid 0 euid 0 sock uid 0 Running tests with ruid 0 euid 65534 sock uid 65534 Running tests with ruid 0 euid 65534 sock uid 0 PASS The socket option operation works fine except in the case where a raw socket was created as root, and then privilege was downgraded to the normal user, at which point the process tries a socket option operation (apparently of any sort, not just multicast). I'm surprised more things haven't broken, such as aspects of ping(8). Maybe they have and nobody has noticed :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research