IP options broken for raw sockets on cred downgrade (was: Re: why required root privileges to set multicast options now?)

Robert Watson rwatson at freebsd.org
Mon Oct 11 12:23:08 PDT 2004 

On Sun, 10 Oct 2004, Robert Watson wrote:

> On Sun, 10 Oct 2004 swp at swp.pp.ru wrote:
> 
> > FreeBSD 5.3-BETA7 Sun Oct 10 18:50:14 OMSST 2004
> > 
> > ospfd (net/quagga from ports) run with credentials of quagga:quagga and
> > unable to set multicast options now.
> > 
> > OSPF: can't setsockopt IP_ADD_MEMBERSHIP (AllSPFRouters): \
> >                                         Operation not permitted
> > OSPF: can't setsockopt IP_MULTICAST_LOOP(0): Operation not permitted
> > OSPF: can't setsockopt IP_MULTICAST_TTL(1): Operation not permitted
> > OSPF: can't setsockopt IP_MULTICAST_IF: Operation not permitted
> > 
> > 5.2-CURRENT and 5.2.1 have no problem.
> 
> This appears to have been introduced as a result of changes to permit
> root to bind raw sockets in jail.  In particular, the likely control
> flow path to get the above errors was to perform setsockopt() on a UDP
> socket, which probaly works its way down to in_control() to
> ip_ctloutput().  This would also explain why sdr stopped working for me
> a little while ago (I figured it was a bad package build).  I've CC'd
> Christian as he might have some insight into how to clean this up. 

The bug is now neatly illustrated by the ipsockopt regression test:

6.x:

paprika# ./ipsockopt 
Running tests with ruid 0 euid 0 sock uid 0
Running tests with ruid 0 euid 65534 sock uid 65534
Running tests with ruid 0 euid 65534 sock uid 0
ipsockopt: test_ip_uchar(SOCK_RAW, IP_TOS): initial getsockopt(): Operation not permitted

5.x:
Running tests with ruid 0 euid 0 sock uid 0
Running tests with ruid 0 euid 65534 sock uid 65534
Running tests with ruid 0 euid 65534 sock uid 0
PASS

The socket option operation works fine except in the case where a raw
socket was created as root, and then privilege was downgraded to the
normal user, at which point the process tries a socket option operation
(apparently of any sort, not just multicast).  I'm surprised more things
haven't broken, such as aspects of ping(8).  Maybe they have and nobody
has noticed :-). 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Principal Research Scientist, McAfee Research

More information about the freebsd-net mailing list