tech-kern: Re: TCPCTL_IDENT (Was: CVS commit: src/etc)

Subject: Re: TCPCTL_IDENT (Was: CVS commit: src/etc)
To: Matthias Scheler <tron@zhadum.de>
From: Simon Burge <simonb@wasabisystems.com>
List: tech-kern
Date: 05/02/2003 23:24:58

[ Added tech-security to list
  Background: allowing the TCPCTL_IDENT sysctl to work for any user.
  This sysctl allows you to find the owner of any TCP connection if
  you know the addresses and ports (easily obtainable from netstat)
  and currently only works for root (more through mis-design than
  policy (IMHO).]

Matthias Scheler wrote:

> On Fri, May 02, 2003 at 10:53:20PM +1000, Simon Burge wrote:
>
> > The following patch changes the sysctl to using only the mib for the
> > query and works with "nobody:kmem" in /etc/inetd.conf.
> 
> Does it really need group "kmem"? I don't see anything in this patch
> which enforces it.

Indeed no - I've checked that "nobody" and "nobody:nobody" works.  (Does
the former imply that later as "nobody" is the group of the "nobody"
user).

> And that might open another security problem
> because any user can query the owner of any TCP connection now.

I don't have any idea of security implications of this.  Anyone know
better?

Simon.
--
Simon Burge                            <simonb@wasabisystems.com>
NetBSD Support and Service:         http://www.wasabisystems.com/