Date: Fri, 9 Jan 2009 19:02:34 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Julian Elischer <julian@elischer.org> Cc: svn-src-head@freebsd.org, Max Laier <max@love2party.net>, Adrian Chadd <adrian@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org Subject: Re: svn commit: r186955 - in head/sys: conf netinet Message-ID: <alpine.BSF.2.00.0901091859060.95776@fledge.watson.org> In-Reply-To: <49678D5E.3030600@elischer.org> References: <200901091602.n09G2Jj1061164@svn.freebsd.org> <200901091802.10287.max@love2party.net> <49678D5E.3030600@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 9 Jan 2009, Julian Elischer wrote: > Max Laier wrote: >> On Friday 09 January 2009 17:02:19 Adrian Chadd wrote: >>> Author: adrian Date: Fri Jan 9 16:02:19 2009 New Revision: 186955 URL: >>> http://svn.freebsd.org/changeset/base/186955 >>> >>> Log: >>> Implement a new IP option (not compiled/enabled by default) to allow >>> applications to specify a non-local IP address when bind()'ing a socket >>> to a local endpoint. >> >> That's a *socket* option ... you had me very worried there for a moment ;) >> I don't quite see why you'd hide these under a build time option - having >> the sysctl defaulting to off under CTLFLAG_SECURE seems good enough - if >> people disagree - make it a boot time tuneable, but I certainly don't see >> why you should have to rebuild the kernel for a minor thing like this. It >> certainly isn't performance critical. > > because it can be a big security hole and you do not want people to have it > available on the average machine. Also because purists complained about it. > You'll notice that the compile option enables the sysctl, which is used to > turn on and off the capacity to do this per socket. so the admin can disable > it, but I felt a lot more comfortable having it not compiled in by default. At the risk of turning something simply that has for unknown reasons taken a half dozen commits to get right into something that takes a half dozen plus one: the security stuff in this commit is really weird. I'd prefer this socket option: (1) Not be a kernel option, since the last thing we need is yet more conditionally compiled edge cases (2) Require privilege by default, ideally a new privilege (3) If it's desirable to make it easily accessible without privilege on some systems, add a sysctl that controls whether privilege is required. This would make it available in GENERIC, default to requiring root, but allow that to be tweaked easily in the same way we require privilege to bind low port numbers by default, but using sysctls can tune the policy to something useful in more specific environments. There's been talk of adding a fine-grained privilege model to FreeBSD 8.0 so that specific privileges could be granted in a more general way, but that hasn't happened yet. It's also possible to do that already using a custom MAC policy since MAC policy modules can tune the privilege model to add and remove privileges for processes in a granular way. But only if this operation is assigned a specific privilege. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0901091859060.95776>