netbsd-bugs: Re: bin/35479: /usr/sbin/timedc fails

Subject: Re: bin/35479: /usr/sbin/timedc fails
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, djv@bedford.net>
From: Woodchuck <djv@bedford.net>
List: netbsd-bugs
Date: 01/25/2007 22:35:02
The following reply was made to PR bin/35479; it has been noted by GNATS.

From: Woodchuck <djv@bedford.net>
To: gnats-bugs@NetBSD.org
Cc: netbsd-bugs@NetBSD.org
Subject: Re: bin/35479: /usr/sbin/timedc fails
Date: Thu, 25 Jan 2007 17:28:53 -0500 (EST)

 On Thu, 25 Jan 2007, Christian Biere wrote:
 
 > The following reply was made to PR bin/35479; it has been noted by GNATS.
 > 
 > From: Christian Biere <christianbiere@gmx.de>
 > To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
 > Cc: 
 > Subject: Re: bin/35479: /usr/sbin/timedc fails
 > Date: Thu, 25 Jan 2007 23:16:21 +0100
 > 
 >  Woodchuck wrote:
 >  > In other words, the OpenBSD hosts are *rejecting* a connection attempt
 >  > from a privileged socket.  That makes a certain kind of paranoid sense.
 >  
 >  I don't see any such checks in code. Are you sure it's not just the
 >  firewall? Also packets from unprivileged ports are certainly not more
 >  trustworthy than those from privileged ports. If you want to differ at
 >  all than it's rather vice-versa.
 
 Here are some tcpdumps, jezebel is a NetBSD host, rachel is OpenBSD.
 Pequod is an OpenBSD host.  All are on the same ethernet, no firewalls
 involved.
 
 With timedc with htons, i.e. as-is after the other fix:
 NetBSD sending from privileged port, OpenBSD not responding.
 
 17:17:04.053285 IP rachel.chuck > jezebel.chuck: icmp 28: time stamp reply id 36188 seq 35840 : org 0x4c81f35 recv 0x4c81f17 xmit 0x4c81f17
 17:17:04.053480 IP jezebel.chuck > rachel.chuck: icmp 28: time stamp query id 36188 seq 38400
 17:17:04.053575 IP rachel.chuck > jezebel.chuck: icmp 28: time stamp reply id 36188 seq 38400 : org 0x4c81f35 recv 0x4c81f17 xmit 0x4c81f17
 17:17:04.053756 IP jezebel.chuck.1023 > rachel.chuck.time: UDP, length: 4
 17:17:06.059611 IP jezebel.chuck.1023 > rachel.chuck.time: UDP, length: 4
 17:17:08.069645 IP jezebel.chuck.1023 > rachel.chuck.time: UDP, length: 4
 17:17:10.079674 IP jezebel.chuck.1023 > rachel.chuck.time: UDP, length: 4
 
 Without htons, i.e. with the BAD FIX:
 Jezebel (NetBSD) sends from 65283, OpenBSD rachel responds.
 
 17:18:10.328872 IP rachel.chuck > jezebel.chuck: icmp 28: time stamp reply id 21609 seq 35840 : org 0x4c92218 recv 0x4c92219 xmit 0x4c92219
 17:18:10.329068 IP jezebel.chuck > rachel.chuck: icmp 28: time stamp query id 21609 seq 38400
 17:18:10.329234 IP rachel.chuck > jezebel.chuck: icmp 28: time stamp reply id 21609 seq 38400 : org 0x4c92219 recv 0x4c92219 xmit 0x4c92219
 17:18:10.329416 IP jezebel.chuck.65283 > rachel.chuck.time: UDP, length: 4
 17:18:10.329644 IP rachel.chuck.time > jezebel.chuck.65283: UDP, length: 4
 
 From pequod (OpenBSD) to rachel (OpenBSD):
 Unprivileged port 19113 is selected.
 
 17:19:58.378961 IP pequod.chuck > rachel.chuck: icmp 28: time stamp query id 21006 seq 38400
 17:19:58.379070 IP rachel.chuck > pequod.chuck: icmp 28: time stamp reply id 21006 seq 38400 : org 0x4cac819 recv 0x4cac81b xmit 0x4cac81b
 17:19:58.379144 IP pequod.chuck.19113 > rachel.chuck.time: UDP, length: 4
 17:19:58.379314 IP rachel.chuck.time > pequod.chuck.19113: UDP, length: 4
 
 As for security, I have only a dim recollection, so will not rely
 upon it or even report what it is.  But for some reason, they are
 rejecting the connection from 1023.
 
 >  > I notice that timedc is setuid 0 on NetBSD, (obviously, to get that
 >  > privileged socket), but is not setuid on OpenBSD (which uses an unprivileged
 >  > one).
 >  
 >  No, it's not just for this socket but rather for the raw socket.
 
 OK.  OpenBSD fails for uprivileged user for the raw socket reason.
 
 >  > If an unprivileged socket is appropriate, then NetBSD could also
 >  > lose the setuid property, generally a good thing to lose if unnecessary.
 >  
 >  Can you use timedc as non-root on OpenBSD at all? I would think there's no
 >  need to but I doubt not dropping privileges at all is better.
 
 Will not start for unprivileged user.  A sudo-er could use it.
 (actual fresh experiments, not from my fuzzy memory.)  I will make
 inquiry at OpenBSD for their reasons for rejecting privileged connections,
 and report to you here.
 
 Dave
 -- 
       The law has converted plunder into a right and lawful defense
       into a crime.  -- Frederic Bastiat, 1850