Re: mac_portacl and automatic port allocation

• Previous message: Roger Marquis: "Re: Importing into rc.firewal rules"
• In reply to: Michal Mertl: "mac_portacl and automatic port allocation"
• Next in thread: Michal Mertl: "Re: mac_portacl and automatic port allocation"
• Reply: Michal Mertl: "Re: mac_portacl and automatic port allocation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 23 Nov 2004 15:09:41 +0000 (GMT)
To: Michal Mertl <mime@traveller.cz>

On Sun, 21 Nov 2004, Michal Mertl wrote:

> I really like the idea behind mac_portacl but I find it difficult to use
> it because of one issue. When an unprivileged program binds to high
> automatic port with a call to bind(2) and port number set to 0 the
> system chooses the port to bind to itself. This mechanismus is used by
> number of programs, most commonly by ftp clients in active mode.
> Unfortunately this 0 is checked by the mac_portacl(4) module and the
> call to bind is refused. Rather simple fix would be to check if the
> local port is 0 and user hasn't asked for IP_PORTRANGE_LOW and then
> allow the call to trivially succeed. It can be controlled by a sysctl if
> needed.
>
> What do you think of the patch below?

Seems like a good change to me. Technically, there's probably a slight
atomicity problem relating to threads, since one thread could change the
flag while another thread is making the call to bind the socket. I'm not
sure that's easily fixed without a specific MAC check in the inet code,
and what you propose is certainly a big improvement over what is there.

I'll get this, sans the printf, merged sometime today.

Thanks!

Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org Principal Research Scientist, McAfee Research

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Roger Marquis: "Re: Importing into rc.firewal rules"
• In reply to: Michal Mertl: "mac_portacl and automatic port allocation"
• Next in thread: Michal Mertl: "Re: mac_portacl and automatic port allocation"
• Reply: Michal Mertl: "Re: mac_portacl and automatic port allocation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages mac_portacl and automatic port allocation ... When an unprivileged program binds to high ... automatic port with a call to bindand port number set to 0 the ... system chooses the port to bind to itself. ... (FreeBSD-Security) Re: mac_portacl and automatic port allocation ... When an unprivileged program binds to high ... >>system chooses the port to bind to itself. ... > atomicity problem relating to threads, since one thread could change the ... (FreeBSD-Security) Re: How to listen to more a specific IP and specific ports ... bind my socket to specific unlimited and selective IP addresses. ... Moreover, in Unix/Linux Berekly network programming, you can determin the ... port numbers. ... (microsoft.public.win32.programmer.networks) Re: How to listen to more a specific IP and specific ports ... I have read this long time ago in the textbook Unix Network Programming ... service and connect our socket to INADDR_ANY and then listen for incoming ... Its clear to me on how to bind with ... port numbers. ... (microsoft.public.win32.programmer.networks) Re: How to listen to more a specific IP and specific ports ... bind my socket to specific unlimited and selective IP addresses. ... Moreover, in Unix/Linux Berekly network programming, you can determin the IP ... port numbers. ... (microsoft.public.win32.programmer.networks)