cvs commit: src/sys/netinet raw_ip.c
Gleb Smirnoff
glebius at freebsd.org
Tue Oct 12 10:40:25 PDT 2004
Thank you!
On Tue, Oct 12, 2004 at 04:47:25PM +0000, Robert Watson wrote:
R> rwatson 2004-10-12 16:47:25 UTC
R>
R> FreeBSD src repository
R>
R> Modified files:
R> sys/netinet raw_ip.c
R> Log:
R> When the access control on creating raw sockets was modified so that
R> processes in jail could create raw sockets, additional access control
R> checks were added to raw IP sockets to limit the ways in which those
R> sockets could be used. Specifically, only the socket option IP_HDRINCL
R> was permitted in rip_ctloutput(). Other socket options were protected
R> by a call to suser(). This change was required to prevent processes
R> in a Jail from modifying system properties such as multicast routing
R> and firewall rule sets.
R>
R> However, it also introduced a regression: processes that create a raw
R> socket with root privilege, but then downgraded credential (i.e., a
R> daemon giving up root, or a setuid process switching back to the real
R> uid) could no longer issue other unprivileged generic IP socket option
R> operations, such as IP_TOS, IP_TTL, and the multicast group membership
R> options, which prevented multicast routing daemons (and some other
R> tools) from operating correctly.
R>
R> This change pushes the access control decision down to the granularity
R> of individual socket options, rather than all socket options, on raw
R> IP sockets. When rip_ctloutput() doesn't implement an option, it will
R> now pass the request directly to in_control() without an access
R> control check. This should restore the functionality of the generic
R> IP socket options for raw sockets in the above-described scenarios,
R> which may be confirmed with the ipsockopt regression test.
R>
R> RELENG_5 candidate.
R>
R> Reviewed by: csjp
R>
R> Revision Changes Path
R> 1.145 +41 -20 src/sys/netinet/raw_ip.c
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
More information about the cvs-src
mailing list