Date: Thu, 27 Mar 1997 12:43:22 PST From: Bill Fenner <fenner@parc.xerox.com> To: tqbf@enteract.com Cc: freebsd-security@freebsd.org Subject: Re: More netinet suser() stuff... Message-ID: <97Mar27.124326pst.177486@crevenia.parc.xerox.com> In-Reply-To: Your message of "Wed, 26 Mar 97 14:18:16 PST." <19970326221816.19637.qmail@smtp.enteract.com>
next in thread | previous in thread | raw e-mail | index | archive | help
tqbf@babel.enteract.com wrote:
>+ /* only allow raw sockets for ICMP (this is probably
>+ * a futile gesture, as I'm unsure that the kernel is
>+ * tight enough internally to prevent arbitrary network
>+ * access, at least for sending packets, once a raw
>+ * socket is allocated).
>+ */
This is indeed the case. This is more a portability issue than anything
else; before there was an IP_HDRINCL socket option, there was IPPROTO_RAW
sockets which implied IP_HDRINCL. However, something like the following
might work:
*** raw_ip.c.orig Thu Mar 27 20:33:40 1997
--- raw_ip.c Thu Mar 27 20:34:30 1997
***************
*** 204,209 ****
--- 204,214 ----
m_freem(m);
return EINVAL;
}
+ if (inp->inp_ip.ip_p != IPPROTO_RAW &&
+ ip->ip_p != inp->inp_ip.ip_p) {
+ m_freem(m);
+ return EACCESS;
+ }
if (ip->ip_id == 0)
ip->ip_id = htons(ip_id++);
/* XXX prevent ip_output from overwriting header fields */
This allows IPPROTO_RAW sockets to continue to be used to write any
protocol, but other raw sockets to only allow the protocol with which
they were opened.
Note that traceroute still uses an IPPROTO_RAW socket to send packets,
so traceroute would need to be modified to be able to use this. It's
probably as simple as saying "sndsock = s" isntead of opening a second
socket.
[Also note that traceroute does a setuid(getuid()) as the 4th thing
in main(), so trying to protect it further might not be a good thing
to be spending a lot of time on]
Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?97Mar27.124326pst.177486>