svn commit: r186955 - in head/sys: conf netinet

Robert Watson rwatson at
Fri Jan 9 11:02:35 PST 2009

On Fri, 9 Jan 2009, Julian Elischer wrote:

> Max Laier wrote:
>> On Friday 09 January 2009 17:02:19 Adrian Chadd wrote:
>>> Author: adrian Date: Fri Jan 9 16:02:19 2009 New Revision: 186955 URL: 
>>> Log:
>>>   Implement a new IP option (not compiled/enabled by default) to allow
>>>   applications to specify a non-local IP address when bind()'ing a socket
>>>   to a local endpoint.
>> That's a *socket* option ... you had me very worried there for a moment ;) 
>> I don't quite see why you'd hide these under a build time option - having 
>> the sysctl defaulting to off under CTLFLAG_SECURE seems good enough - if 
>> people disagree - make it a boot time tuneable, but I certainly don't see 
>> why you should have to rebuild the kernel for a minor thing like this.  It 
>> certainly isn't performance critical.
> because it can be a big security hole and you do not want people to have it 
> available on the average machine. Also because purists complained about it. 
> You'll notice that the compile option enables the sysctl, which is used to 
> turn on and off the capacity to do this per socket. so the admin can disable 
> it, but I felt a lot more comfortable having it not compiled in by default.

At the risk of turning something simply that has for unknown reasons taken a 
half dozen commits to get right into something that takes a half dozen plus 
one: the security stuff in this commit is really weird.  I'd prefer this 
socket option:

(1) Not be a kernel option, since the last thing we need is yet more
     conditionally compiled edge cases

(2) Require privilege by default, ideally a new privilege

(3) If it's desirable to make it easily accessible without privilege on some
     systems, add a sysctl that controls whether privilege is required.

This would make it available in GENERIC, default to requiring root, but allow 
that to be tweaked easily in the same way we require privilege to bind low 
port numbers by default, but using sysctls can tune the policy to something 
useful in more specific environments.

There's been talk of adding a fine-grained privilege model to FreeBSD 8.0 so 
that specific privileges could be granted in a more general way, but that 
hasn't happened yet.  It's also possible to do that already using a custom MAC 
policy since MAC policy modules can tune the privilege model to add and remove 
privileges for processes in a granular way.  But only if this operation is 
assigned a specific privilege.

Robert N M Watson
Computer Laboratory
University of Cambridge

More information about the svn-src-head mailing list