Re: inet socket restriction via group (fwd)
From: c.s. (maneo) peron (maneo@icmp.dhs.org)
Date: 08/22/01
- Next message: Michael Bryan: "Local Sendmail vulnerability, from BugTraq"
- Previous message: Chip Norkus: "Re: inet socket restriction via group"
- Next in thread: Crist J. Clark: "Re: inet socket restriction via group (fwd)"
- Reply: Crist J. Clark: "Re: inet socket restriction via group (fwd)"
- Maybe reply: c.s. (maneo) peron: "Re: inet socket restriction via group (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 Aug 2001 18:47:09 -0500 (CDT) From: "c.s. (maneo) peron" <maneo@icmp.dhs.org> To: <freebsd-security@freebsd.org>
True you could use ipfw, however i dont believe you can filter
a group when using ipf. (correct me if iam wrong)
Furthermore, I posted the wrong uipc_socket.c patch :(
the other one was no good.
This one should work.
snip ---< snip ---< snip ---< options patch
*** /usr/src/alpha/sys/conf/options Thu Aug 2 19:47:27 2001
--- /usr/src/sys/conf/options Sat Aug 18 11:29:30 2001
***************
*** 268,273 ****
--- 268,274 ----
PPP_DEFLATE opt_ppp.h
PPP_FILTER opt_ppp.h
RANDOM_IP_ID
+ RESTRICT_SOCKS opt_resocks.h
SLIP_IFF_OPTS opt_slip.h
TCPDEBUG
TCP_DROP_SYNFIN opt_tcp_input.h
snip ---< snip ---< snip ---< uipc_socket.c patch
*** uipc_socket.c.orig Thu Jun 14 15:46:06 2001
--- uipc_socket.c Tue Aug 21 10:21:58 2001
***************
*** 35,40 ****
--- 35,41 ----
*/
#include "opt_inet.h"
+ #include "opt_resocks.h"
#include <sys/param.h>
#include <sys/systm.h>
***************
*** 89,94 ****
--- 90,120 ----
SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW,
&somaxconn, 0, "Maximum pending socket connection queue size");
+ #if (defined(RESTRICT_SOCKS))
+ /*
+ * define the sysctl(8) mechanisms that will enable
+ * the restriction of a certain group member(s)
+ * from creating network sockets, to prevent potentially
+ * abusive users from using the system as a springboard.
+ */
+ static int NoInetSocks = 0; /* default to 'off' */
+ gid_t NoInet_GID = 65534; /* default to group 'nobody' */
+
+ SYSCTL_INT(_kern_ipc,
+ OID_AUTO,
+ NoInetSocks,
+ CTLFLAG_RW,
+ &NoInetSocks,
+ 0,"AF_INET socket restriction via GID");
+
+ SYSCTL_INT(_kern_ipc,
+ OID_AUTO,
+ NoInet_GID,
+ CTLFLAG_RW,
+ &NoInet_GID,
+ 0,"GID to be restricted");
+ #endif /* RESTRICT SOCKS */
+
/*
* Socket operation routines.
* These routines are called by the routines in
***************
*** 132,137 ****
--- 158,172 ----
register struct protosw *prp;
register struct socket *so;
register int error;
+
+ #if (defined(RESTRICT_SOCKS))
+ if (dom == AF_INET && NoInetSocks) {
+ if (p->p_cred->p_rgid == NoInet_GID) {
+ uprintf("socreate(AF_INET) - disabled\n");
+ return(EPERM);
+ }
+ }
+ #endif /* RESTRICT_SOCKS */
if (proto)
prp = pffindproto(dom, proto, type);
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Michael Bryan: "Local Sendmail vulnerability, from BugTraq"
- Previous message: Chip Norkus: "Re: inet socket restriction via group"
- Next in thread: Crist J. Clark: "Re: inet socket restriction via group (fwd)"
- Reply: Crist J. Clark: "Re: inet socket restriction via group (fwd)"
- Maybe reply: c.s. (maneo) peron: "Re: inet socket restriction via group (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
