cvs commit: src/sys/netinet raw_ip.c
Robert Watson
rwatson at FreeBSD.org
Thu Oct 14 04:45:26 PDT 2004
rwatson 2004-10-14 11:45:26 UTC
FreeBSD src repository
Modified files: (Branch: RELENG_5)
sys/netinet raw_ip.c
Log:
Merge raw_ip.c:1.145 from HEAD to RELENG_5:
date: 2004/10/12 16:47:25; author: rwatson; state: Exp; lines: +41 -20
When the access control on creating raw sockets was modified so that
processes in jail could create raw sockets, additional access control
checks were added to raw IP sockets to limit the ways in which those
sockets could be used. Specifically, only the socket option IP_HDRINCL
was permitted in rip_ctloutput(). Other socket options were protected
by a call to suser(). This change was required to prevent processes
in a Jail from modifying system properties such as multicast routing
and firewall rule sets.
However, it also introduced a regression: processes that create a raw
socket with root privilege, but then downgraded credential (i.e., a
daemon giving up root, or a setuid process switching back to the real
uid) could no longer issue other unprivileged generic IP socket option
operations, such as IP_TOS, IP_TTL, and the multicast group membership
options, which prevented multicast routing daemons (and some other
tools) from operating correctly.
This change pushes the access control decision down to the granularity
of individual socket options, rather than all socket options, on raw
IP sockets. When rip_ctloutput() doesn't implement an option, it will
now pass the request directly to in_control() without an access
control check. This should restore the functionality of the generic
IP socket options for raw sockets in the above-described scenarios,
which may be confirmed with the ipsockopt regression test.
RELENG_5 candidate.
Reviewed by: csjp
Approved by: re (scottl)
Revision Changes Path
1.142.2.2 +41 -20 src/sys/netinet/raw_ip.c
More information about the cvs-src
mailing list