svn commit: r186955 - in head/sys: conf netinet
max at love2party.net
Fri Jan 9 11:08:09 PST 2009
On Friday 09 January 2009 19:29:11 Adrian Chadd wrote:
> 2009/1/9 Max Laier <max at love2party.net>:
> > Speaking of disabling it ... setting the sysctl to 0 is not really enough
> > to do that. One would also have to walk through the active sockets and
> > GC any that are bound to nonlocal addresses to really disable it ... or
> > do we rely on tcpdrop or the like to do that manually? Of course it
> > would make sense to have something like this: start tproxy, bind
> > forwarding ports, disable sysctl, raise securelevel
> > In addition, should there be a priv(9) check in ip_ctloutput?
> For which priv? Surely you don't really want people running services as
> root? :)
You don't want your normal user to be able to bind to foreign addresses
either. If you need to create sockets over and over again you use privilege
separation as done in OpenBSD.
> gnn and I talked about this a bit on IRC, and I was waiting for
> rwatson to come online before posting a followup. Linux's
> implementation of this stuff uses the CAP_NET_ADMIN capability to
> define whether a process can do this or not. So users would start
> Squid as root, Squid would acquire CAP_NET_ADMIN, drop root, and then
> use it whenever required.
> Also, this is an option set on bind() on an outbound socket, not a
> listen() socket. You'd bind() to the client IP you're pretending to
> be, then connect() to the server destination. You can't raise
> securelevel/disable sysctl in the way you described.
I see ... though there is no restriction in your code yet that would prevent
one from using it on a listen() socket.
Can you hold off on further commits until we reach a consensus about how this
should be done? This is getting a bit messy for my taste.
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the svn-src-head