On Thu, 25 Jan 2007, Christian Biere wrote:

> The following reply was made to PR bin/35479; it has been noted by GNATS.
> 
> From: Christian Biere <christianbiere@gmx.de>
> To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
> Cc: 
> Subject: Re: bin/35479: /usr/sbin/timedc fails
> Date: Thu, 25 Jan 2007 23:16:21 +0100
> 
>  Woodchuck wrote:
>  > In other words, the OpenBSD hosts are *rejecting* a connection attempt
>  > from a privileged socket.  That makes a certain kind of paranoid sense.
>  
>  I don't see any such checks in code. Are you sure it's not just the
>  firewall? Also packets from unprivileged ports are certainly not more
>  trustworthy than those from privileged ports. If you want to differ at
>  all than it's rather vice-versa.

Here are some tcpdumps, jezebel is a NetBSD host, rachel is OpenBSD.
Pequod is an OpenBSD host.  All are on the same ethernet, no firewalls
involved.

With timedc with htons, i.e. as-is after the other fix:
NetBSD sending from privileged port, OpenBSD not responding.

17:17:04.053285 IP rachel.chuck > jezebel.chuck: icmp 28: time stamp reply id 36188 seq 35840 : org 0x4c81f35 recv 0x4c81f17 xmit 0x4c81f17
17:17:04.053480 IP jezebel.chuck > rachel.chuck: icmp 28: time stamp query id 36188 seq 38400
17:17:04.053575 IP rachel.chuck > jezebel.chuck: icmp 28: time stamp reply id 36188 seq 38400 : org 0x4c81f35 recv 0x4c81f17 xmit 0x4c81f17
17:17:04.053756 IP jezebel.chuck.1023 > rachel.chuck.time: UDP, length: 4
17:17:06.059611 IP jezebel.chuck.1023 > rachel.chuck.time: UDP, length: 4
17:17:08.069645 IP jezebel.chuck.1023 > rachel.chuck.time: UDP, length: 4
17:17:10.079674 IP jezebel.chuck.1023 > rachel.chuck.time: UDP, length: 4

Without htons, i.e. with the BAD FIX:
Jezebel (NetBSD) sends from 65283, OpenBSD rachel responds.

17:18:10.328872 IP rachel.chuck > jezebel.chuck: icmp 28: time stamp reply id 21609 seq 35840 : org 0x4c92218 recv 0x4c92219 xmit 0x4c92219
17:18:10.329068 IP jezebel.chuck > rachel.chuck: icmp 28: time stamp query id 21609 seq 38400
17:18:10.329234 IP rachel.chuck > jezebel.chuck: icmp 28: time stamp reply id 21609 seq 38400 : org 0x4c92219 recv 0x4c92219 xmit 0x4c92219
17:18:10.329416 IP jezebel.chuck.65283 > rachel.chuck.time: UDP, length: 4
17:18:10.329644 IP rachel.chuck.time > jezebel.chuck.65283: UDP, length: 4

From pequod (OpenBSD) to rachel (OpenBSD):
Unprivileged port 19113 is selected.

17:19:58.378961 IP pequod.chuck > rachel.chuck: icmp 28: time stamp query id 21006 seq 38400
17:19:58.379070 IP rachel.chuck > pequod.chuck: icmp 28: time stamp reply id 21006 seq 38400 : org 0x4cac819 recv 0x4cac81b xmit 0x4cac81b
17:19:58.379144 IP pequod.chuck.19113 > rachel.chuck.time: UDP, length: 4
17:19:58.379314 IP rachel.chuck.time > pequod.chuck.19113: UDP, length: 4

As for security, I have only a dim recollection, so will not rely
upon it or even report what it is.  But for some reason, they are
rejecting the connection from 1023.

>  > I notice that timedc is setuid 0 on NetBSD, (obviously, to get that
>  > privileged socket), but is not setuid on OpenBSD (which uses an unprivileged
>  > one).
>  
>  No, it's not just for this socket but rather for the raw socket.

OK.  OpenBSD fails for uprivileged user for the raw socket reason.

>  > If an unprivileged socket is appropriate, then NetBSD could also
>  > lose the setuid property, generally a good thing to lose if unnecessary.
>  
>  Can you use timedc as non-root on OpenBSD at all? I would think there's no
>  need to but I doubt not dropping privileges at all is better.

Will not start for unprivileged user.  A sudo-er could use it.
(actual fresh experiments, not from my fuzzy memory.)  I will make
inquiry at OpenBSD for their reasons for rejecting privileged connections,
and report to you here.

Dave
-- 
      The law has converted plunder into a right and lawful defense
      into a crime.  -- Frederic Bastiat, 1850