IP options broken for raw sockets on cred downgrade (was: Re: why required root privileges to set multicast options now?)

[Giorgos Keramidas]

On 2004-10-12 09:04, Robert Watson <rwatson at freebsd.org> wrote:
> On Tue, 12 Oct 2004, Giorgos Keramidas wrote:
> > On 2004-10-11 16:31, Robert Watson <rwatson at freebsd.org> wrote:
> > > + * NOTE: Regarding access control.  Raw sockets may only be created by
> > > + * privileged processes; however, as a result of jailed processes and the
> > > + * ability for processes to downgrade privilege yet retain a reference to the
> > > + * raw socket.  As such, explicit access control is required here, or when
> > > + * unimplemented requests are passed to ip_ctloutput(), are required there.
> >
> > Can we rewrite this descriptive comment a bit?  I can't really
> > understand what is being said by reading the comment.  Reading the diff
> > of the source is easy, but we should try to make the comment more
> > comprehensible too ;-)
>
> Maybe something like the following:
>
>  * IMPORTANT NOTE regarding access control: Traditionally, raw sockets
>  * could only be created by a privileged process, and as such, socket
>  * option operations to manage system properties on any raw socket were
>  * allowed to take place without explicit additional access control
>  * checks.  However, raw sockets can now also be created in jail(), and
>  * therefore explicit checks are now required.  Likewise, raw sockets can
>  * be used by a process after it gives up privilege, so some caution is
>  * required.  For options passed down to the IP layer via ip_ctloutput(),
>  * checks are assumed to be performed in ip_ctloutput() and therefore no
>  * check occurs here.  Unilaterally checking suser() here breaks normal IP
>  * socket option operations on raw sockets.
>  *
>  * When adding new socket options here, make sure to add access control
>  * checks here as necessary.

Yep, this sounds like a better explanation.  Thanks :-)