IP options broken for raw sockets on cred downgrade (was: Re:
why required root privileges to set multicast options now?)
Giorgos Keramidas
keramida at freebsd.org
Tue Oct 12 04:25:12 PDT 2004
On 2004-10-11 16:31, Robert Watson <rwatson at freebsd.org> wrote:
> + * NOTE: Regarding access control. Raw sockets may only be created by
> + * privileged processes; however, as a result of jailed processes and the
> + * ability for processes to downgrade privilege yet retain a reference to the
> + * raw socket. As such, explicit access control is required here, or when
> + * unimplemented requests are passed to ip_ctloutput(), are required there.
Can we rewrite this descriptive comment a bit? I can't really understand what
is being said by reading the comment. Reading the diff of the source is easy,
but we should try to make the comment more comprehensible too ;-)
More information about the freebsd-net
mailing list