Subject: Re: bin/35479: /usr/sbin/timedc fails
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, djv@bedford.net>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 01/25/2007 22:10:02
The following reply was made to PR bin/35479; it has been noted by GNATS.

From: Christian Biere <christianbiere@gmx.de>
To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Cc: 
Subject: Re: bin/35479: /usr/sbin/timedc fails
Date: Thu, 25 Jan 2007 23:16:21 +0100

 Woodchuck wrote:
 > In other words, the OpenBSD hosts are *rejecting* a connection attempt
 > from a privileged socket.  That makes a certain kind of paranoid sense.
 
 I don't see any such checks in code. Are you sure it's not just the
 firewall? Also packets from unprivileged ports are certainly not more
 trustworthy than those from privileged ports. If you want to differ at
 all than it's rather vice-versa.
 
 > I notice that timedc is setuid 0 on NetBSD, (obviously, to get that
 > privileged socket), but is not setuid on OpenBSD (which uses an unprivileged
 > one).
 
 No, it's not just for this socket but rather for the raw socket.
 
 > If an unprivileged socket is appropriate, then NetBSD could also
 > lose the setuid property, generally a good thing to lose if unnecessary.
 
 Can you use timedc as non-root on OpenBSD at all? I would think there's no
 need to but I doubt not dropping privileges at all is better.
 
 -- 
 Christian