On 2004-10-12 09:04, Robert Watson <[EMAIL PROTECTED]> wrote: > On Tue, 12 Oct 2004, Giorgos Keramidas wrote: > > On 2004-10-11 16:31, Robert Watson <[EMAIL PROTECTED]> wrote: > > > + * NOTE: Regarding access control. Raw sockets may only be created by > > > + * privileged processes; however, as a result of jailed processes and the > > > + * ability for processes to downgrade privilege yet retain a reference to the > > > + * raw socket. As such, explicit access control is required here, or when > > > + * unimplemented requests are passed to ip_ctloutput(), are required there. > > > > Can we rewrite this descriptive comment a bit? I can't really > > understand what is being said by reading the comment. Reading the diff > > of the source is easy, but we should try to make the comment more > > comprehensible too ;-) > > Maybe something like the following: > > * IMPORTANT NOTE regarding access control: Traditionally, raw sockets > * could only be created by a privileged process, and as such, socket > * option operations to manage system properties on any raw socket were > * allowed to take place without explicit additional access control > * checks. However, raw sockets can now also be created in jail(), and > * therefore explicit checks are now required. Likewise, raw sockets can > * be used by a process after it gives up privilege, so some caution is > * required. For options passed down to the IP layer via ip_ctloutput(), > * checks are assumed to be performed in ip_ctloutput() and therefore no > * check occurs here. Unilaterally checking suser() here breaks normal IP > * socket option operations on raw sockets. > * > * When adding new socket options here, make sure to add access control > * checks here as necessary.
Yep, this sounds like a better explanation. Thanks :-) _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
