Subject: Re: TCPCTL_IDENT (Was: CVS commit: src/etc)
To: None <tech-security@netbsd.org>
From: Christos Zoulas <christos@zoulas.com>
List: tech-security
Date: 05/04/2003 15:49:52
In article <20030503002902.E1FE353E7F@thoreau.thistledown.com.au>,
Simon Burge <simonb@wasabisystems.com> wrote:
>Klaus Klein wrote:
>
>> Noriyuki Soda <soda@sra.co.jp> writes:
>>
>> > >>>>> On Fri, 02 May 2003 23:24:58 +1000,
>> > Simon Burge <simonb@wasabisystems.com> said:
>> >
>> > >> And that might open another security problem
>> > >> because any user can query the owner of any TCP connection now.
>> >
>> > > I don't have any idea of security implications of this. Anyone know
>> > > better?
>> >
>> > It has been possible before TCPCTL_IDENT, by just using /usr/bin/fstat.
>>
>> But unlike TCPCTL_IDENT, fstat can be restricted easily by changing
>> its file permissions (albeit coarsely).
>
>Hmm.
>
>I'd like to commit something based on the new code, as uses the
>traditional sysctl() method of passing the query only in the MIB.
>
I don't particularly like that hack because it is non-scalable.
What if in the future you want to pass an off_t?
>I can see three ways forward:
>
> a) Use the current patch, but has a possible security implication.
>
> b) Add an "is root" check to give current in-tree behaviour.
I am looking into an isroot() method to allow selected sysctls with newp
and newlen to be executed by non-root. Is that a good idea? Maybe allowing
via kern.security.allow.my.sysctl settings to have my.sysctl to be executed by
non root?
> c) Add a knob (sysctl, kernel compile time?) to enable non-root
> lookups.
>
>I also have plans to one day convert fstat to using sysctl()s, so
>we're going to strike this problem again one day.
>
>Maybe a number of sysctl's under kern.security? These could also
>control allowing non-root users to look up process info for other
>users, etc...
>
>Maybe b) for now and I'll look at fleshing out c)?
>
>Simon.
>--
>Simon Burge <simonb@wasabisystems.com>
>NetBSD Support and Service: http://www.wasabisystems.com/