On Wed, Jan 31, 2007 at 05:08:43PM -0600, David Young wrote:
> On Wed, Jan 31, 2007 at 05:37:07PM -0500, Thor Lancelot Simon wrote:
> > On Wed, Jan 31, 2007 at 01:05:40PM -0600, David Young wrote:
> > > 
> > > The rule "only root can create a raw socket, PF_ROUTE and PF_BLUETOOTH
> > > sockets excepted" is a blunt instrument for enforcing a policy on
> > > what packets a program can send and receive.
> > 
> > I don't agree.  I believe it's the correct policy, to prohibit non-
> > superuser programs on multiuser systems from sending arbitrary network
> > packets behind the stack's back; that we have no appropriate socket
> > interfaces to many common protocols we do wish to let nonprivileged
> > programs use is the real problem.
> 
> Based on what you just wrote, I think you do agree: it is a blunt
> instrument for policy enforcement. :-)

Not if you meaen "overly blunt".  It is exactly as "blunt" as it should
be: non-root users should not be able to modify arbitrary parts of packets
for _any_ protocol family.  Where it is "necessary" that they do so, that
reveals that we lack in-kernel code for safely sending and receiving some
kind of higher-level protocol packet; and that is a bug.

Enforcing "less blunt" restrictions on SOCK_RAW as a workaround for that
bug is *also* a bug.

Thor