Date: Tue, 12 Oct 2004 16:11:12 +0300 From: Giorgos Keramidas <keramida@freebsd.org> To: Robert Watson <rwatson@freebsd.org> Cc: swp@swp.pp.ru Subject: Re: IP options broken for raw sockets on cred downgrade (was: Re: why required root privileges to set multicast options now?) Message-ID: <20041012131112.GA54651@orion.daedalusnetworks.priv> In-Reply-To: <Pine.NEB.3.96L.1041012085952.55701M-100000@fledge.watson.org> References: <20041012112500.GA27309@orion.daedalusnetworks.priv> <Pine.NEB.3.96L.1041012085952.55701M-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2004-10-12 09:04, Robert Watson <rwatson@freebsd.org> wrote: > On Tue, 12 Oct 2004, Giorgos Keramidas wrote: > > On 2004-10-11 16:31, Robert Watson <rwatson@freebsd.org> wrote: > > > + * NOTE: Regarding access control. Raw sockets may only be created by > > > + * privileged processes; however, as a result of jailed processes and the > > > + * ability for processes to downgrade privilege yet retain a reference to the > > > + * raw socket. As such, explicit access control is required here, or when > > > + * unimplemented requests are passed to ip_ctloutput(), are required there. > > > > Can we rewrite this descriptive comment a bit? I can't really > > understand what is being said by reading the comment. Reading the diff > > of the source is easy, but we should try to make the comment more > > comprehensible too ;-) > > Maybe something like the following: > > * IMPORTANT NOTE regarding access control: Traditionally, raw sockets > * could only be created by a privileged process, and as such, socket > * option operations to manage system properties on any raw socket were > * allowed to take place without explicit additional access control > * checks. However, raw sockets can now also be created in jail(), and > * therefore explicit checks are now required. Likewise, raw sockets can > * be used by a process after it gives up privilege, so some caution is > * required. For options passed down to the IP layer via ip_ctloutput(), > * checks are assumed to be performed in ip_ctloutput() and therefore no > * check occurs here. Unilaterally checking suser() here breaks normal IP > * socket option operations on raw sockets. > * > * When adding new socket options here, make sure to add access control > * checks here as necessary. Yep, this sounds like a better explanation. Thanks :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041012131112.GA54651>