svn commit: r186955 - in head/sys: conf netinet

Julian Elischer julian at
Fri Jan 9 11:11:02 PST 2009

Robert Watson wrote:
> On Fri, 9 Jan 2009, Julian Elischer wrote:
>> Max Laier wrote:
>>> On Friday 09 January 2009 17:02:19 Adrian Chadd wrote:
>>>> Author: adrian Date: Fri Jan 9 16:02:19 2009 New Revision: 186955 
>>>> URL:
>>>> Log:
>>>>   Implement a new IP option (not compiled/enabled by default) to allow
>>>>   applications to specify a non-local IP address when bind()'ing a 
>>>> socket
>>>>   to a local endpoint.
>>> That's a *socket* option ... you had me very worried there for a 
>>> moment ;) I don't quite see why you'd hide these under a build time 
>>> option - having the sysctl defaulting to off under CTLFLAG_SECURE 
>>> seems good enough - if people disagree - make it a boot time 
>>> tuneable, but I certainly don't see why you should have to rebuild 
>>> the kernel for a minor thing like this.  It certainly isn't 
>>> performance critical.
>> because it can be a big security hole and you do not want people to 
>> have it available on the average machine. Also because purists 
>> complained about it. You'll notice that the compile option enables the 
>> sysctl, which is used to turn on and off the capacity to do this per 
>> socket. so the admin can disable it, but I felt a lot more comfortable 
>> having it not compiled in by default.
> At the risk of turning something simply that has for unknown reasons 
> taken a half dozen commits to get right into something that takes a half 
> dozen plus one: the security stuff in this commit is really weird.  I'd 
> prefer this socket option:
> (1) Not be a kernel option, since the last thing we need is yet more
>     conditionally compiled edge cases

it's been my experience that things that upset old hands and purists 
should be options until they get used to it..

also it does add some code.. not much but bloat is bloat.

> (2) Require privilege by default, ideally a new privilege

Actually I agree... ther are actually two places privs could be 

on the sysctl (then anyone can do the socket option,
but the machine is an acknowledged proxy host).

on the socket option (then only root can start a proxy which may not 
be what is wanted).

in the ironport code the whole thing is just a #if 0

> (3) If it's desirable to make it easily accessible without privilege on 
> some
>     systems, add a sysctl that controls whether privilege is required.
> This would make it available in GENERIC, default to requiring root, but 
> allow that to be tweaked easily in the same way we require privilege to 
> bind low port numbers by default, but using sysctls can tune the policy 
> to something useful in more specific environments.
> There's been talk of adding a fine-grained privilege model to FreeBSD 
> 8.0 so that specific privileges could be granted in a more general way, 
> but that hasn't happened yet.  It's also possible to do that already 
> using a custom MAC policy since MAC policy modules can tune the 
> privilege model to add and remove privileges for processes in a granular 
> way.  But only if this operation is assigned a specific privilege.
> Robert N M Watson
> Computer Laboratory
> University of Cambridge

More information about the svn-src-head mailing list