Re: accounting with ipfw (gid, uid riles)
From: Karsten W. Rohrbach (karsten@rohrbach.de)
Date: 07/31/01
- Next message: Brett Glass: "Re: sendmail"
- Previous message: semat: "Re: sendmail"
- In reply to: Mike Silbersack: "Re[2]: accounting with ipfw (gid, uid riles)"
- Next in thread: Mike Silbersack: "Re: accounting with ipfw (gid, uid riles)"
- Reply: Mike Silbersack: "Re: accounting with ipfw (gid, uid riles)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 31 Jul 2001 18:08:28 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Mike Silbersack <silby@silby.com>
Mike Silbersack(silby@silby.com)@2001.07.27 22:43:00 +0000:
>
> On Fri, 27 Jul 2001, Nickolay A.Kritsky wrote:
>
> > do you mean that after this code:
> > //----------------------------------------------------------------
> > setuid(0);
> > s=socket(...);
> > listen(s,1);
> > if (fork()!=-1)
> > {
> > setuid(1);
> > k=accept(s);
> > }
> > //----------------------------------------------------------------
> > socket pointed by k will be "owned" by root?
>
> Yes.
>
> > Anyway, it is not the main point of my question. Accounting httpd
> > traffic is just a piece of cake - the port is fixed, the address is
> > fixed. But I wanted to count Squid traffic. AFAIK Squid does not any
> > setuid() voodoo, except for priviledges drop at startup. After that it
> > runs strictly uid 'nobody'. But squid's traffic doesn't hit the
> > counter!!! I wonder why. Maybe it is because of natd running on outer
> > interface? But why then some packets hit the counter?
>
> If squid runs the listen as root, all sockets created from that listen
> socket will also be accounted to root. Same problem as the above. I do
> not know how natd would affect connections in terms of uid accounting.
squid's standard ports are higher than 1024, so it should not be a
problem to start it with a uid wrapper (setuidgid from daemontools
or similar), shouldn't it? then the socket belongs to the squid user
i think...
/k
-- > MCSE: Management Can't Send E-mail KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: stored
- Next message: Brett Glass: "Re: sendmail"
- Previous message: semat: "Re: sendmail"
- In reply to: Mike Silbersack: "Re[2]: accounting with ipfw (gid, uid riles)"
- Next in thread: Mike Silbersack: "Re: accounting with ipfw (gid, uid riles)"
- Reply: Mike Silbersack: "Re: accounting with ipfw (gid, uid riles)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
