Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Oct 2004 21:40:22 +0400
From:      Gleb Smirnoff <glebius@freebsd.org>
To:        Robert Watson <rwatson@freebsd.org>
Cc:        cvs-all@freebsd.org
Subject:   Re: cvs commit: src/sys/netinet raw_ip.c
Message-ID:  <20041012174022.GE31707@cell.sick.ru>
In-Reply-To: <200410121647.i9CGlPBw027133@repoman.freebsd.org>
References:  <200410121647.i9CGlPBw027133@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Thank you!

On Tue, Oct 12, 2004 at 04:47:25PM +0000, Robert Watson wrote:
R> rwatson     2004-10-12 16:47:25 UTC
R> 
R>   FreeBSD src repository
R> 
R>   Modified files:
R>     sys/netinet          raw_ip.c 
R>   Log:
R>   When the access control on creating raw sockets was modified so that
R>   processes in jail could create raw sockets, additional access control
R>   checks were added to raw IP sockets to limit the ways in which those
R>   sockets could be used.  Specifically, only the socket option IP_HDRINCL
R>   was permitted in rip_ctloutput().  Other socket options were protected
R>   by a call to suser().  This change was required to prevent processes
R>   in a Jail from modifying system properties such as multicast routing
R>   and firewall rule sets.
R>   
R>   However, it also introduced a regression: processes that create a raw
R>   socket with root privilege, but then downgraded credential (i.e., a
R>   daemon giving up root, or a setuid process switching back to the real
R>   uid) could no longer issue other unprivileged generic IP socket option
R>   operations, such as IP_TOS, IP_TTL, and the multicast group membership
R>   options, which prevented multicast routing daemons (and some other
R>   tools) from operating correctly.
R>   
R>   This change pushes the access control decision down to the granularity
R>   of individual socket options, rather than all socket options, on raw
R>   IP sockets.  When rip_ctloutput() doesn't implement an option, it will
R>   now pass the request directly to in_control() without an access
R>   control check.  This should restore the functionality of the generic
R>   IP socket options for raw sockets in the above-described scenarios,
R>   which may be confirmed with the ipsockopt regression test.
R>   
R>   RELENG_5 candidate.
R>   
R>   Reviewed by:    csjp
R>   
R>   Revision  Changes    Path
R>   1.145     +41 -20    src/sys/netinet/raw_ip.c

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041012174022.GE31707>