mac_portacl and automatic port allocation
Robert Watson
rwatson at freebsd.org
Tue Nov 23 07:11:28 PST 2004
On Sun, 21 Nov 2004, Michal Mertl wrote:
> I really like the idea behind mac_portacl but I find it difficult to use
> it because of one issue. When an unprivileged program binds to high
> automatic port with a call to bind(2) and port number set to 0 the
> system chooses the port to bind to itself. This mechanismus is used by
> number of programs, most commonly by ftp clients in active mode.
> Unfortunately this 0 is checked by the mac_portacl(4) module and the
> call to bind is refused. Rather simple fix would be to check if the
> local port is 0 and user hasn't asked for IP_PORTRANGE_LOW and then
> allow the call to trivially succeed. It can be controlled by a sysctl if
> needed.
>
> What do you think of the patch below?
Seems like a good change to me. Technically, there's probably a slight
atomicity problem relating to threads, since one thread could change the
flag while another thread is making the call to bind the socket. I'm not
sure that's easily fixed without a specific MAC check in the inet code,
and what you propose is certainly a big improvement over what is there.
I'll get this, sans the printf, merged sometime today.
Thanks!
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Principal Research Scientist, McAfee Research
More information about the freebsd-security
mailing list