From owner-freebsd-security Wed Mar 12 11:22:35 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA04738 for security-outgoing; Wed, 12 Mar 1997 11:22:35 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA04427; Wed, 12 Mar 1997 11:16:36 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.5/8.8.2) id UAA23339; Wed, 12 Mar 1997 20:16:25 +0100 (MET) From: Guido van Rooij Message-Id: <199703121916.UAA23339@gvr.win.tue.nl> Subject: Re: NFS security issue... In-Reply-To: <9703121532.AA18955@halloran-eldar.lcs.mit.edu> from Garrett Wollman at "Mar 12, 97 10:32:48 am" To: wollman@lcs.mit.edu (Garrett Wollman) Date: Wed, 12 Mar 1997 20:16:25 +0100 (MET) Cc: freebsd-security@freebsd.org, core@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Garrett Wollman wrote: > < > > Except, of course, that it doesn't belong under net, it belongs under > > [v]fs.nfs. At this point, you may want to fix P-HK's breakage of > > sysctl variables for LKM filesystems. > > One thing I forgot to mention... > > I am right now contemplating changing the socket interface to pass > user credentials down to pru_bind(). This could be used, for example, > to provide a more sophisticated access-control model for local port > numbers (like blocking user attempts to bind to port 2049). Hopefully > we can get rid of SS_PRIV completely... > the local hackery is just an example. The same check for reserved ports also holds for non-local nfs requests. -Guido