From owner-freebsd-security@FreeBSD.ORG Mon May 26 00:54:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D40F137B401 for ; Mon, 26 May 2003 00:54:55 -0700 (PDT) Received: from thalia.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 828DA43FAF for ; Mon, 26 May 2003 00:54:54 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a020.otenet.gr [212.205.215.20]) by thalia.otenet.gr (8.12.9/8.12.9) with ESMTP id h4Q7snKd008379; Mon, 26 May 2003 10:54:50 +0300 (EEST) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.9/8.12.9) with ESMTP id h4Q7smhA029406; Mon, 26 May 2003 10:54:48 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.9/8.12.9/Submit) id h4Q7smXV029405; Mon, 26 May 2003 10:54:48 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Mon, 26 May 2003 10:54:47 +0300 From: Giorgos Keramidas To: Santos Message-ID: <20030526075447.GA29390@gothmog.gr> References: <3ED06967.90306@cas.port995.com> <20030525234819.U21691@gothmog> <3ED19590.80309@cas.port995.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3ED19590.80309@cas.port995.com> cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 07:54:56 -0000 On 2003-05-26 05:18, Santos wrote: > Giorgos Keramidas wrote: > >Try this patch. Unless of course, you're not using IPFW version 1, > >in which case someone more knowledgeable will hopefully correct me :) > > > ><<<<<<< > >Index: ip_fw.c > >=================================================================== > >RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > >retrieving revision 1.192 > >diff -u -r1.192 ip_fw.c > >--- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192 > >+++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000 > >@@ -95,7 +95,7 @@ > > > > #ifdef SYSCTL_NODE > > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > >-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > >+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3, > > &fw_enable, 0, "Enable ipfw"); > > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > > &fw_one_pass, 0, > > Sorry i missed a uname and a grep :) Ah, that's fine. I don't have the time to test it now, but something similar to the following should do the trick. Sorry for not running this through a compile and a test run, but this is a very hectic day. Someone with enough time to run a full buildworld/buildkernel and fix any errors I have made should check that this fixes the problem and then notify the security officer. It looks like something that would be nice to have in STABLE *and* the security branches IMHO. <<<<<<< Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.39 diff -u -r1.131.2.39 ip_fw.c --- ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39 +++ ip_fw.c 26 May 2003 07:50:05 -0000 @@ -94,9 +94,25 @@ MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); #ifdef SYSCTL_NODE + +static int +sysctl_fw_enable(SYSCTL_HANDLER_ARGS) +{ + int error, v; + + if (securelevel >= 3) + return (ENOPERM); + + error = sysctl_handle_int(oidp, oidp->oid_arg1, 0, req); + if (error || !req->newptr) + return (error); + + return (0); +} + SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, - &fw_enable, 0, "Enable ipfw"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW, + &fw_enable, 0, sysctl_fw_enable, "I", "Enable ipfw"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, &fw_one_pass, 0, "Only do a single pass through ipfw when using dummynet(4)"); >>>>>>>