Robert Watson wrote:
On Fri, 9 Jan 2009, Julian Elischer wrote:
Max Laier wrote:
On Friday 09 January 2009 17:02:19 Adrian Chadd wrote:
Author: adrian Date: Fri Jan 9 16:02:19 2009 New Revision: 186955
URL: http://svn.freebsd.org/changeset/base/186955
Log:
Implement a new IP option (not compiled/enabled by default) to allow
applications to specify a non-local IP address when bind()'ing a
socket
to a local endpoint.
That's a *socket* option ... you had me very worried there for a
moment ;) I don't quite see why you'd hide these under a build time
option - having the sysctl defaulting to off under CTLFLAG_SECURE
seems good enough - if people disagree - make it a boot time
tuneable, but I certainly don't see why you should have to rebuild
the kernel for a minor thing like this. It certainly isn't
performance critical.
because it can be a big security hole and you do not want people to
have it available on the average machine. Also because purists
complained about it. You'll notice that the compile option enables the
sysctl, which is used to turn on and off the capacity to do this per
socket. so the admin can disable it, but I felt a lot more comfortable
having it not compiled in by default.
At the risk of turning something simply that has for unknown reasons
taken a half dozen commits to get right into something that takes a half
dozen plus one: the security stuff in this commit is really weird. I'd
prefer this socket option:
(1) Not be a kernel option, since the last thing we need is yet more
conditionally compiled edge cases
it's been my experience that things that upset old hands and purists
should be options until they get used to it..
also it does add some code.. not much but bloat is bloat.
(2) Require privilege by default, ideally a new privilege
Actually I agree... ther are actually two places privs could be
applied.
on the sysctl (then anyone can do the socket option,
but the machine is an acknowledged proxy host).
on the socket option (then only root can start a proxy which may not
be what is wanted).
in the ironport code the whole thing is just a #if 0
(3) If it's desirable to make it easily accessible without privilege on
some
systems, add a sysctl that controls whether privilege is required.
This would make it available in GENERIC, default to requiring root, but
allow that to be tweaked easily in the same way we require privilege to
bind low port numbers by default, but using sysctls can tune the policy
to something useful in more specific environments.
There's been talk of adding a fine-grained privilege model to FreeBSD
8.0 so that specific privileges could be granted in a more general way,
but that hasn't happened yet. It's also possible to do that already
using a custom MAC policy since MAC policy modules can tune the
privilege model to add and remove privileges for processes in a granular
way. But only if this operation is assigned a specific privilege.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"