From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Dec 30 23:30:09 2010 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD1BE1065675 for ; Thu, 30 Dec 2010 23:30:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8046F8FC16; Thu, 30 Dec 2010 23:30:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oBUNU9Af052683; Thu, 30 Dec 2010 23:30:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oBUNU92A052679; Thu, 30 Dec 2010 23:30:09 GMT (envelope-from gnats) Resent-Date: Thu, 30 Dec 2010 23:30:09 GMT Resent-Message-Id: <201012302330.oBUNU92A052679@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: jay@experts-exchange.com Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jason Helfman Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 457EA106566C for ; Thu, 30 Dec 2010 23:25:54 +0000 (UTC) (envelope-from jhelfman@experts-exchange.com) Received: from mail.experts-exchange.com (mail.experts-exchange.com [72.29.183.251]) by mx1.freebsd.org (Postfix) with ESMTP id 24C758FC16 for ; Thu, 30 Dec 2010 23:25:54 +0000 (UTC) Received: from mail.experts-exchange.com (localhost [127.0.0.1]) by mail.experts-exchange.com (Postfix) with ESMTP id EB186CA6BB3 for ; Thu, 30 Dec 2010 15:25:53 -0800 (PST) Received: from mail.experts-exchange.com ([127.0.0.1]) by mail.experts-exchange.com (mail.experts-exchange.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oqq0XDvfujSO for ; Thu, 30 Dec 2010 15:25:53 -0800 (PST) Received: from experts-exchange.com (unknown [192.168.103.122]) by mail.experts-exchange.com (Postfix) with SMTP id A10CCCA6B87 for ; Thu, 30 Dec 2010 15:25:53 -0800 (PST) Received: (nullmailer pid 33605 invoked by uid 1001); Thu, 30 Dec 2010 23:22:44 -0000 Message-Id: <1293751364.437901.33604.nullmailer@experts-exchange.com> Date: Thu, 30 Dec 2010 15:22:44 -0800 From: Jason Helfman To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: jay@experts-exchange.com Cc: Subject: ports/153568: [patch] security/stunnel: enables transparent configuration option through application of IP_BINDANY X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jason Helfman List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Dec 2010 23:30:09 -0000 >Number: 153568 >Category: ports >Synopsis: [patch] security/stunnel: enables transparent configuration option through application of IP_BINDANY >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Dec 30 23:30:09 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Jason Helfman >Release: FreeBSD 8.1-RELEASE i386 >Organization: Experts Exchange, LLC. >Environment: System: FreeBSD eggman.experts-exchange.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: There is a transparency option for stunnel that doesn't work in FreeBSD, as it is using a kernel call that isn't supported in FreeBSD. FreeBSD 8 has the correct code for this to operate as designed, however it should be using IP_BINDANY. http://www.stunnel.org/faq/stunnel.html (look for "transparent") >How-To-Repeat: install security/stunnel add/change 'transparency = yes' to stunnel.conf start service should fail with this error, when the network connection is used through stunnel: local_bind (original port): Can't assign requested address (49) With included patch, this error will come up if 'setuid' and 'setgid' are not configured as described below: setsockopt IP_BINDANY: Operation not permitted (1) >Fix: add/change 'transparency = yes' to stunnel.conf add/change 'setuid = root' to stunnel.conf add/change 'setgid = wheel' to stunnel.conf start service pf rules are believed to be required as an end-to-end solution, however this will allow for 'transparent' option to work. --- security/stunnel/Makefile.orig 2010-12-30 12:15:43.000000000 -0800 +++ security/stunnel/Makefile 2010-12-30 12:15:54.000000000 -0800 @@ -7,7 +7,7 @@ PORTNAME= stunnel PORTVERSION= 4.34 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= http://www.stunnel.org/download/stunnel/src/ \ http://mirrors.zerg.biz/stunnel/%SUBDIR%/ \ @@ -95,6 +95,10 @@ ${WRKSRC}/tools/Makefile.in .endif +.if ${OSVERSION} >= 800000 + @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/bindany_client.c +.endif + post-install: @${SETENV} PKG_PREFIX=${PREFIX} ${SH} \ ${PKGINSTALL} ${PKGNAME} POST-INSTALL --- /dev/null 2010-12-30 12:17:09.000000000 -0800 +++ security/stunnel/files/bindany_client.c 2010-12-30 12:14:04.000000000 -0800 @@ -0,0 +1,22 @@ +--- ./src/client.c.orig 2010-12-30 09:53:09.000000000 -0800 ++++ ./src/client.c 2010-12-30 09:54:32.000000000 -0800 +@@ -1034,15 +1034,15 @@ + static void local_bind(CLI *c) { + SOCKADDR_UNION addr; + +-#ifdef IP_TRANSPARENT ++#ifdef IP_BINDANY + int on=1; + if(c->opt->option.transparent) { +- if(setsockopt(c->fd, SOL_IP, IP_TRANSPARENT, &on, sizeof on)) +- sockerror("setsockopt IP_TRANSPARENT"); ++ if(setsockopt(c->fd, IPPROTO_IP, IP_BINDANY, &on, sizeof on)) ++ sockerror("setsockopt IP_BINDANY"); + /* ignore the error to retain Linux 2.2 compatibility */ + /* the error will be handled by bind(), anyway */ + } +-#endif /* IP_TRANSPARENT */ ++#endif /* IP_BINDANY */ + + memcpy(&addr, &c->bind_addr.addr[0], sizeof addr); + if(ntohs(addr.in.sin_port)>=1024) { /* security check */ >Release-Note: >Audit-Trail: >Unformatted: