ports/153568: [patch] security/stunnel: enables transparent configuration option through application of IP_BINDANY
Jason Helfman
jhelfman at experts-exchange.com
Thu Dec 30 23:30:09 UTC 2010
>Number: 153568
>Category: ports
>Synopsis: [patch] security/stunnel: enables transparent configuration option through application of IP_BINDANY
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 30 23:30:09 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Jason Helfman
>Release: FreeBSD 8.1-RELEASE i386
>Organization:
Experts Exchange, LLC.
>Environment:
System: FreeBSD eggman.experts-exchange.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
There is a transparency option for stunnel that doesn't work in FreeBSD, as it is using a kernel call that isn't supported in FreeBSD. FreeBSD 8 has the correct code for this to operate as designed, however it should be using IP_BINDANY.
http://www.stunnel.org/faq/stunnel.html (look for "transparent")
>How-To-Repeat:
install security/stunnel
add/change 'transparency = yes' to stunnel.conf
start service
should fail with this error, when the network connection is used through stunnel:
local_bind (original port): Can't assign requested address (49)
With included patch, this error will come up if 'setuid' and 'setgid' are not configured as described below:
setsockopt IP_BINDANY: Operation not permitted (1)
>Fix:
add/change 'transparency = yes' to stunnel.conf
add/change 'setuid = root' to stunnel.conf
add/change 'setgid = wheel' to stunnel.conf
start service
pf rules are believed to be required as an end-to-end solution, however this will allow for 'transparent' option to work.
--- security/stunnel/Makefile.orig 2010-12-30 12:15:43.000000000 -0800
+++ security/stunnel/Makefile 2010-12-30 12:15:54.000000000 -0800
@@ -7,7 +7,7 @@
PORTNAME= stunnel
PORTVERSION= 4.34
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security
MASTER_SITES= http://www.stunnel.org/download/stunnel/src/ \
http://mirrors.zerg.biz/stunnel/%SUBDIR%/ \
@@ -95,6 +95,10 @@
${WRKSRC}/tools/Makefile.in
.endif
+.if ${OSVERSION} >= 800000
+ @cd ${WRKSRC} && ${PATCH} --quiet < ${FILESDIR}/bindany_client.c
+.endif
+
post-install:
@${SETENV} PKG_PREFIX=${PREFIX} ${SH} \
${PKGINSTALL} ${PKGNAME} POST-INSTALL
--- /dev/null 2010-12-30 12:17:09.000000000 -0800
+++ security/stunnel/files/bindany_client.c 2010-12-30 12:14:04.000000000 -0800
@@ -0,0 +1,22 @@
+--- ./src/client.c.orig 2010-12-30 09:53:09.000000000 -0800
++++ ./src/client.c 2010-12-30 09:54:32.000000000 -0800
+@@ -1034,15 +1034,15 @@
+ static void local_bind(CLI *c) {
+ SOCKADDR_UNION addr;
+
+-#ifdef IP_TRANSPARENT
++#ifdef IP_BINDANY
+ int on=1;
+ if(c->opt->option.transparent) {
+- if(setsockopt(c->fd, SOL_IP, IP_TRANSPARENT, &on, sizeof on))
+- sockerror("setsockopt IP_TRANSPARENT");
++ if(setsockopt(c->fd, IPPROTO_IP, IP_BINDANY, &on, sizeof on))
++ sockerror("setsockopt IP_BINDANY");
+ /* ignore the error to retain Linux 2.2 compatibility */
+ /* the error will be handled by bind(), anyway */
+ }
+-#endif /* IP_TRANSPARENT */
++#endif /* IP_BINDANY */
+
+ memcpy(&addr, &c->bind_addr.addr[0], sizeof addr);
+ if(ntohs(addr.in.sin_port)>=1024) { /* security check */
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list