Proposed change to route(4) sockets to make them available to non-superuser

From: Garrett Wollman (wollman@khavrinen.lcs.mit.edu)
Date: 08/30/01 

Date: Thu, 30 Aug 2001 11:33:34 -0400 (EDT)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: Ruslan Ermilov <ru@FreeBSD.ORG>

<<On Thu, 30 Aug 2001 14:58:40 +0300, Ruslan Ermilov <ru@FreeBSD.ORG> said:

> raw_uattach(struct socket *so, int proto, struct proc *p)
> {
> struct rawcb *rp = sotorawcb(so);
> - int error;
 
> if (rp == 0)
> return EINVAL;
> - if (p && (error = suser(p)) != 0)
> - return error;
> return raw_attach(so, proto);
> }

This allows *anyone* to open any raw socket. This change should not
be made; use a specialized route_uattach instead.

 
> + if (rtm->rtm_type != RTM_GET && suser(curproc) != 0)

Ick. I worked hard several years ago to get rid of all references to
`curproc' in the network stack; I'm none too pleased to see them
coming back. Since we already save the credentials of the process
which opened the socket, we should do the access-control on the basis
of those credentials, not on the basis of the process that happens to
be running. (Consider, for example, a daemon which opens its sockets
and then changes credentials for safety.)

-GAWollman

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Proposed change to route(4) sockets to make them available to non-superuser
    ... > This allows *anyone* to open any raw socket. ... Since we already save the credentials of the process ... we should do the access-control on the basis ... (Consider, for example, a daemon which opens its sockets ...
    (FreeBSD-Security)
  • Re: Proposed change to route(4) sockets to make them available to non-superuser
    ... and others based on the current socket credential. ... My general objection is not to using the caller's credentials ... descriptor's associated privilege. ...
    (FreeBSD-Security)
  • execve(): unexpected socket behavior
    ... I have a process which opens and writes to a TCP socket, ... The socket descriptor is a file scope variable, ... I'm scratching my head trying to figure out how to reference the ...
    (comp.unix.programmer)
  • Re: execve(): unexpected socket behavior
    ... I have a process which opens and writes to a TCP socket, which at regular intervals I replace with another instance of the process via execve. ... I have been unable to figure out how to reference them, however, so I can determine when I already have an open socket and so don't have to open another one. ... The socket descriptor is a file scope variable, so is automatically initialized to 0 when the process loads. ...
    (comp.unix.programmer)
  • Re: Proposed change to route(4) sockets to make them available to non-superuser
    ... > on the basis of credentials rather than a process, ... and others based on the current socket credential. ... unprivileged process, and know that the unprivileged process can't rebind ... privileged process. ...
    (FreeBSD-Security)