Date: Tue, 12 Oct 2004 14:25:00 +0300 From: Giorgos Keramidas <keramida@freebsd.org> To: Robert Watson <rwatson@freebsd.org> Cc: swp@swp.pp.ru Subject: Re: IP options broken for raw sockets on cred downgrade (was: Re: why required root privileges to set multicast options now?) Message-ID: <20041012112500.GA27309@orion.daedalusnetworks.priv> In-Reply-To: <Pine.NEB.3.96L.1041011163050.31040a-100000@fledge.watson.org> References: <Pine.NEB.3.96L.1041011151504.31040X-100000@fledge.watson.org> <Pine.NEB.3.96L.1041011163050.31040a-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2004-10-11 16:31, Robert Watson <rwatson@freebsd.org> wrote: > + * NOTE: Regarding access control. Raw sockets may only be created by > + * privileged processes; however, as a result of jailed processes and the > + * ability for processes to downgrade privilege yet retain a reference to the > + * raw socket. As such, explicit access control is required here, or when > + * unimplemented requests are passed to ip_ctloutput(), are required there. Can we rewrite this descriptive comment a bit? I can't really understand what is being said by reading the comment. Reading the diff of the source is easy, but we should try to make the comment more comprehensible too ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041012112500.GA27309>