Date: Mon, 21 Jun 1999 09:24:16 -0500 From: Kris Wehner <kris@further.com> To: Allan Saddi <asaddi@philosophysw.com> Cc: Frank Tobin <ftobin@bigfoot.com>, kris@further.com, FreeBSD-security Mailing List <freebsd-security@FreeBSD.ORG> Subject: Re: proposed secure-level 4 patch (fwd) Message-ID: <19990621092414.A62936@happy.cow.org> In-Reply-To: <Pine.BSF.4.10.9906200232120.6859-100000@shell2.ba.best.com>; from Allan Saddi on Sun, Jun 20, 1999 at 02:54:40AM -0700 References: <Pine.BSF.4.10.9906192320330.66866-300000@srh0710.urh.uiuc.edu> <Pine.BSF.4.10.9906200232120.6859-100000@shell2.ba.best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Previously, Allan Saddi (asaddi@philosophysw.com) said: > There are still problems with this no-bind-securelevel patch: to resolve these problems (including the super-boneheaded network byte order problem), i moved the patch down to in_pcb.c so it handles udp+tcp, swapped the <= for a < and it works like a champ. this is against -current. if anyone is interested, i also fixed unionfs and the vfs_syscalls.c to disable unionfs mounts and mount -o union in securelevel >= 2. kris --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="in_pcb.diff" *** in_pcb.c-orig Tue Jun 22 09:28:42 1999 --- in_pcb.c Tue Jun 22 09:30:24 1999 *************** *** 175,180 **** --- 175,186 ---- if (sin->sin_family != AF_INET) return (EAFNOSUPPORT); #endif + /* + * Disallow bind if we are in super secure mode and port < 1024 + */ + if (sin->sin_family == AF_INET && ntohs(sin->sin_port) < IPPORT_RESERVED + && securelevel >= 4) + return EPERM; if (prison_ip(p, 0, &sin->sin_addr.s_addr)) return(EINVAL); lport = sin->sin_port; --qMm9M+Fa2AknHoGS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990621092414.A62936>