Date: Mon, 29 Mar 2004 10:40:03 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/64694: UID/GID matching in ipfw non-functional Message-ID: <200403291840.i2TIe3FP081438@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/64694; it has been noted by GNATS. From: Robert Watson <rwatson@FreeBSD.org> To: Grant Millar <Co0lkizz@btinternet.com> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: misc/64694: UID/GID matching in ipfw non-functional Date: Mon, 29 Mar 2004 13:33:21 -0500 (EST) On Sat, 27 Mar 2004, Grant Millar wrote: > Here is the ssh socket showing it owned by root; > sshd 4722 root 5u IPv4 0xdcd94940 0t0 TCP > 66.90.98.2:ssh->host81-128-227-64.inaddr.btopenworld.com:22804 > (ESTABLISHED) sshd and httpd sockets are owned by root because these daemons bind the sockets while running with root privilege, and the "owner" of a socket is its creator. This is a necessary evil for at least a couple of reasons, including the following: a single socket may be referenced by many processes, and therefore there is no notion of a "current process using socket", so the only consistent notion is the creator. This was an intentional design choice by the designers of the sockets API, who chose to represent network endpoints as file-like objects, and the existing UNIX APIs allow file object references to be inheritted and transfered from process to process (and be shared). There's arguably a bug, however, in sshd: while the primary port 22 binding is necessarily created by a root process due to the UNIX notion of privilege, the SHS "forwarded ports" do *not* need to be bound by the root user. It's a bug in sshd that it creates the sockets before switching to the user credential; I've previously reported this bug to the SSH authors but have not seen a response on that. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403291840.i2TIe3FP081438>