Date: Tue, 12 Oct 2004 09:04:17 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Giorgos Keramidas <keramida@freebsd.org> Cc: swp@swp.pp.ru Subject: Re: IP options broken for raw sockets on cred downgrade (was: Re: why required root privileges to set multicast options now?) Message-ID: <Pine.NEB.3.96L.1041012085952.55701M-100000@fledge.watson.org> In-Reply-To: <20041012112500.GA27309@orion.daedalusnetworks.priv>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 12 Oct 2004, Giorgos Keramidas wrote: > On 2004-10-11 16:31, Robert Watson <rwatson@freebsd.org> wrote: > > + * NOTE: Regarding access control. Raw sockets may only be created by > > + * privileged processes; however, as a result of jailed processes and the > > + * ability for processes to downgrade privilege yet retain a reference to the > > + * raw socket. As such, explicit access control is required here, or when > > + * unimplemented requests are passed to ip_ctloutput(), are required there. > > Can we rewrite this descriptive comment a bit? I can't really > understand what is being said by reading the comment. Reading the diff > of the source is easy, but we should try to make the comment more > comprehensible too ;-) Maybe something like the following: * IMPORTANT NOTE regarding access control: Traditionally, raw sockets * could only be created by a privileged process, and as such, socket * option operations to manage system properties on any raw socket were * allowed to take place without explicit additional access control * checks. However, raw sockets can now also be created in jail(), and * therefore explicit checks are now required. Likewise, raw sockets can * be used by a process after it gives up privilege, so some caution is * required. For options passed down to the IP layer via ip_ctloutput(), * checks are assumed to be performed in ip_ctloutput() and therefore no * check occurs here. Unilaterally checking suser() here breaks normal IP * socket option operations on raw sockets. * * When adding new socket options here, make sure to add access control * checks here as necessary. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1041012085952.55701M-100000>