Date: Thu, 27 Mar 1997 15:45:54 -0600 (CST) From: "Thomas H. Ptacek" <tqbf@enteract.com> To: fenner@parc.xerox.com (Bill Fenner) Cc: tqbf@enteract.com, freebsd-security@freebsd.org Subject: Re: More netinet suser() stuff... Message-ID: <199703272145.PAA13555@enteract.com> In-Reply-To: <97Mar27.124326pst.177486@crevenia.parc.xerox.com> from "Bill Fenner" at Mar 27, 97 12:43:22 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> This is indeed the case. This is more a portability issue than anything > else; before there was an IP_HDRINCL socket option, there was IPPROTO_RAW > sockets which implied IP_HDRINCL. However, something like the following > might work: Thanks for clarifying! Is there an obvious way to use an IPPROTO_ICMP raw socket to read packets other than ICMP? From what I can see, packets aren't ever passed through the socket code except through the protocol switches. > Note that traceroute still uses an IPPROTO_RAW socket to send packets, Only if it can't look up "icmp" in /etc/protocols, at least in version 1.3.2 (distributed with FreeBSD 3.0). It should by default open an IPPROTO_ICMP socket. > [Also note that traceroute does a setuid(getuid()) as the 4th thing > in main(), so trying to protect it further might not be a good thing > to be spending a lot of time on] This does nothing to resolve problems in the C runtime support library. The fewer SUID root programs on the system, the better, says I. =) ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "If you're so special, why aren't you dead?"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703272145.PAA13555>