Date: Thu, 30 Dec 2010 15:22:44 -0800 From: Jason Helfman <jhelfman@experts-exchange.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/153568: [patch] security/stunnel: enables transparent configuration option through application of IP_BINDANY Message-ID: <1293751364.437901.33604.nullmailer@experts-exchange.com> Resent-Message-ID: <201012302330.oBUNU92A052679@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 153568 >Category: ports >Synopsis: [patch] security/stunnel: enables transparent configuration option through application of IP_BINDANY >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Dec 30 23:30:09 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Jason Helfman >Release: FreeBSD 8.1-RELEASE i386 >Organization: Experts Exchange, LLC. >Environment: System: FreeBSD eggman.experts-exchange.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: There is a transparency option for stunnel that doesn't work in FreeBSD, as it is using a kernel call that isn't supported in FreeBSD. FreeBSD 8 has the correct code for this to operate as designed, however it should be using IP_BINDANY. http://www.stunnel.org/faq/stunnel.html (look for "transparent") >How-To-Repeat: install security/stunnel add/change 'transparency = yes' to stunnel.conf start service should fail with this error, when the network connection is used through stunnel: local_bind (original port): Can't assign requested address (49) With included patch, this error will come up if 'setuid' and 'setgid' are not configured as described below: setsockopt IP_BINDANY: Operation not permitted (1) >Fix: add/change 'transparency = yes' to stunnel.conf add/change 'setuid = root' to stunnel.conf add/change 'setgid = wheel' to stunnel.conf start service pf rules are believed to be required as an end-to-end solution, however this will allow for 'transparent' option to work. --- security/stunnel/Makefile.orig 2010-12-30 12:15:43.000000000 -0800 +++ security/stunnel/Makefile 2010-12-30 12:15:54.000000000 -0800 @@ -7,7 +7,7 @@ PORTNAME= stunnel PORTVERSION= 4.34 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= http://www.stunnel.org/download/stunnel/src/ \ http://mirrors.zerg.biz/stunnel/%SUBDIR%/ \ @@ -95,6 +95,10 @@ ${WRKSRC}/tools/Makefile.in .endif +.if ${OSVERSION} >= 800000 + @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/bindany_client.c +.endif + post-install: @${SETENV} PKG_PREFIX=${PREFIX} ${SH} \ ${PKGINSTALL} ${PKGNAME} POST-INSTALL --- /dev/null 2010-12-30 12:17:09.000000000 -0800 +++ security/stunnel/files/bindany_client.c 2010-12-30 12:14:04.000000000 -0800 @@ -0,0 +1,22 @@ +--- ./src/client.c.orig 2010-12-30 09:53:09.000000000 -0800 ++++ ./src/client.c 2010-12-30 09:54:32.000000000 -0800 +@@ -1034,15 +1034,15 @@ + static void local_bind(CLI *c) { + SOCKADDR_UNION addr; + +-#ifdef IP_TRANSPARENT ++#ifdef IP_BINDANY + int on=1; + if(c->opt->option.transparent) { +- if(setsockopt(c->fd, SOL_IP, IP_TRANSPARENT, &on, sizeof on)) +- sockerror("setsockopt IP_TRANSPARENT"); ++ if(setsockopt(c->fd, IPPROTO_IP, IP_BINDANY, &on, sizeof on)) ++ sockerror("setsockopt IP_BINDANY"); + /* ignore the error to retain Linux 2.2 compatibility */ + /* the error will be handled by bind(), anyway */ + } +-#endif /* IP_TRANSPARENT */ ++#endif /* IP_BINDANY */ + + memcpy(&addr, &c->bind_addr.addr[0], sizeof addr); + if(ntohs(addr.in.sin_port)>=1024) { /* security check */ >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1293751364.437901.33604.nullmailer>