Re[2]: accounting with ipfw (gid, uid riles)

From: Mike Silbersack (silby@silby.com)
Date: 07/28/01


Date: Fri, 27 Jul 2001 22:43:00 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>


On Fri, 27 Jul 2001, Nickolay A.Kritsky wrote:

> do you mean that after this code:
> //----------------------------------------------------------------
> setuid(0);
> s=socket(...);
> listen(s,1);
> if (fork()!=-1)
> {
> setuid(1);
> k=accept(s);
> }
> //----------------------------------------------------------------
> socket pointed by k will be "owned" by root?

Yes.

> Anyway, it is not the main point of my question. Accounting httpd
> traffic is just a piece of cake - the port is fixed, the address is
> fixed. But I wanted to count Squid traffic. AFAIK Squid does not any
> setuid() voodoo, except for priviledges drop at startup. After that it
> runs strictly uid 'nobody'. But squid's traffic doesn't hit the
> counter!!! I wonder why. Maybe it is because of natd running on outer
> interface? But why then some packets hit the counter?

If squid runs the listen as root, all sockets created from that listen
socket will also be accounted to root. Same problem as the above. I do
not know how natd would affect connections in terms of uid accounting.

Bug Robert Watson about this, the uid accounting is related to the
jail/acl/mac/etc stuff which he has / will be working on. He could tell
you if the uid can be changed at the accept handoff or not.

> Sorry, but what does FWIW mean?

"For what it's worth"

Mike "Silby" Silbersack

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: accounting with ipfw (gid, uid riles)
    ... >>> If squid runs the listen as root, all sockets created from that listen ... >>> socket will also be accounted to root. ... to bind ports <1024 this entity has to be root. ...
    (FreeBSD-Security)
  • Re[2]: accounting with ipfw (gid, uid riles)
    ... MS> The uid associated with a socket is the uid of the process which created ... it's still accounted to root. ... far, is adding alias interface, bind squid to this interface and count ...
    (FreeBSD-Security)
  • Re: Recent bad dental experience
    ... Root fragments are left behind on occasion and healing will ... During the extraction the dentist said the tooth broke up into many ... index finger to feel if there was any food material in the socket. ... my surprise, I felt a small, hard, loose fragment, which I was able to ...
    (sci.med.dentistry)
  • Re: How to delete unix socket entries
    ... > respond to incoming connections, so that after the socket was opened, the ... root screen 30084 4 stream /tmp/screens/S-paul/30084.ttyp0.hannibal ... root pure-ftp 22112 3 dgram syslogd:3 ...
    (freebsd-hackers)
  • Re: Socket access to low numbered ports?
    ... > listen on those socket without runing as root when doing anything else? ... The standard practice is to make the program setuid, be root just long ... And you can change users in Python like this: ... UID 2 is normally the daemon user. ...
    (comp.lang.python)