svn commit: r186955 - in head/sys: conf netinet
rwatson at FreeBSD.org
Fri Jan 9 11:02:35 PST 2009
On Fri, 9 Jan 2009, Julian Elischer wrote:
> Max Laier wrote:
>> On Friday 09 January 2009 17:02:19 Adrian Chadd wrote:
>>> Author: adrian Date: Fri Jan 9 16:02:19 2009 New Revision: 186955 URL:
>>> Implement a new IP option (not compiled/enabled by default) to allow
>>> applications to specify a non-local IP address when bind()'ing a socket
>>> to a local endpoint.
>> That's a *socket* option ... you had me very worried there for a moment ;)
>> I don't quite see why you'd hide these under a build time option - having
>> the sysctl defaulting to off under CTLFLAG_SECURE seems good enough - if
>> people disagree - make it a boot time tuneable, but I certainly don't see
>> why you should have to rebuild the kernel for a minor thing like this. It
>> certainly isn't performance critical.
> because it can be a big security hole and you do not want people to have it
> available on the average machine. Also because purists complained about it.
> You'll notice that the compile option enables the sysctl, which is used to
> turn on and off the capacity to do this per socket. so the admin can disable
> it, but I felt a lot more comfortable having it not compiled in by default.
At the risk of turning something simply that has for unknown reasons taken a
half dozen commits to get right into something that takes a half dozen plus
one: the security stuff in this commit is really weird. I'd prefer this
(1) Not be a kernel option, since the last thing we need is yet more
conditionally compiled edge cases
(2) Require privilege by default, ideally a new privilege
(3) If it's desirable to make it easily accessible without privilege on some
systems, add a sysctl that controls whether privilege is required.
This would make it available in GENERIC, default to requiring root, but allow
that to be tweaked easily in the same way we require privilege to bind low
port numbers by default, but using sysctls can tune the policy to something
useful in more specific environments.
There's been talk of adding a fine-grained privilege model to FreeBSD 8.0 so
that specific privileges could be granted in a more general way, but that
hasn't happened yet. It's also possible to do that already using a custom MAC
policy since MAC policy modules can tune the privilege model to add and remove
privileges for processes in a granular way. But only if this operation is
assigned a specific privilege.
Robert N M Watson
University of Cambridge
More information about the svn-src-head