From owner-freebsd-security  Thu Mar 27 12:44:25 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id MAA20454
          for security-outgoing; Thu, 27 Mar 1997 12:44:25 -0800 (PST)
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id MAA20443
          for <freebsd-security@freebsd.org>; Thu, 27 Mar 1997 12:44:22 -0800 (PST)
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <17089(7)>; Thu, 27 Mar 1997 12:43:34 PST
Received: from localhost by crevenia.parc.xerox.com with SMTP id <177486>; Thu, 27 Mar 1997 12:43:26 -0800
To: tqbf@enteract.com
cc: freebsd-security@freebsd.org
Subject: Re: More netinet suser() stuff... 
In-reply-to: Your message of "Wed, 26 Mar 97 14:18:16 PST."
             <19970326221816.19637.qmail@smtp.enteract.com> 
Date: Thu, 27 Mar 1997 12:43:22 PST
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <97Mar27.124326pst.177486@crevenia.parc.xerox.com>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

tqbf@babel.enteract.com wrote:
>+ 	/* only allow raw sockets for ICMP (this is probably 
>+ 	 * a futile gesture, as I'm unsure that the kernel is 
>+ 	 * tight enough internally to prevent arbitrary network
>+ 	 * access, at least for sending packets, once a raw
>+ 	 * socket is allocated).
>+ 	 */

This is indeed the case.  This is more a portability issue than anything
else; before there was an IP_HDRINCL socket option, there was IPPROTO_RAW
sockets which implied IP_HDRINCL.  However, something like the following
might work:

*** raw_ip.c.orig	Thu Mar 27 20:33:40 1997
--- raw_ip.c	Thu Mar 27 20:34:30 1997
***************
*** 204,209 ****
--- 204,214 ----
  			m_freem(m);
  			return EINVAL;
  		}
+ 		if (inp->inp_ip.ip_p != IPPROTO_RAW &&
+ 		    ip->ip_p != inp->inp_ip.ip_p) {
+ 			m_freem(m);
+ 			return EACCESS;
+ 		}
  		if (ip->ip_id == 0)
  			ip->ip_id = htons(ip_id++);
  		/* XXX prevent ip_output from overwriting header fields */

This allows IPPROTO_RAW sockets to continue to be used to write any
protocol, but other raw sockets to only allow the protocol with which
they were opened.

Note that traceroute still uses an IPPROTO_RAW socket to send packets,
so traceroute would need to be modified to be able to use this.  It's
probably as simple as saying "sndsock = s" isntead of opening a second
socket.

[Also note that traceroute does a setuid(getuid()) as the 4th thing
in main(), so trying to protect it further might not be a good thing
to be spending a lot of time on]

  Bill