lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 22 Sep 2006 01:25:13 -0500
From:	William Pitcock <nenolod@...eme.org>
To:	linux-kernel@...r.kernel.org
Subject: [PATCH 2.6.18 1/1] net/ipv4: sysctl to allow non-superuser to bypass CAP_NET_BIND_SERVICE requirement

This patch allows for a user to disable the requirement to meet the  
CAP_NET_BIND_SERVICE capability for a non-superuser. It is toggled by  
the net.ipv4.allow_lowport_bind_nonsuperuser sysctl value.

diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index e4b1a4d..c3f7c3c 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -411,6 +411,7 @@ enum
	NET_IPV4_TCP_WORKAROUND_SIGNED_WINDOWS=115,
	NET_TCP_DMA_COPYBREAK=116,
	NET_TCP_SLOW_START_AFTER_IDLE=117,
+	NET_IPV4_ALLOW_LOWPORT_BIND_NONSUPERUSER=118,
   };
   enum {
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index c84a320..a2ea829 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -394,6 +394,11 @@ int inet_release(struct socket *sock)
   /* It is off by default, see below. */
   int sysctl_ip_nonlocal_bind;

+/* When this is enabled, it allows normal users to bind to ports <=  
1023.
+ * This is set by the net.ipv4.allow_lowport_bind_nonsuperuser  
sysctl value.
+ */
+int sysctl_ip_allow_lowport_bind_nonsuperuser;
+
   int inet_bind(struct socket *sock, struct sockaddr *uaddr, int  
addr_len)
   {
  	struct sockaddr_in *addr = (struct sockaddr_in *)uaddr;
@@ -432,7 +437,8 @@ int inet_bind(struct socket *sock, struc
  	snum = ntohs(addr->sin_port);
  	err = -EACCES;
-	if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+	if (!sysctl_ip_allow_lowport_bind_nonsuperuser && snum && snum <  
PROT_SOCK &&
+		!capable(CAP_NET_BIND_SERVICE))
  		goto out;
  	/*      We keep a pair of addresses. rcv_saddr is the one
@@ -1412,3 +1418,4 @@ EXPORT_SYMBOL(inet_stream_ops);
   EXPORT_SYMBOL(inet_unregister_protosw);
   EXPORT_SYMBOL(net_statistics);
   EXPORT_SYMBOL(sysctl_ip_nonlocal_bind);
+EXPORT_SYMBOL(sysctl_ip_allow_lowport_bind_nonsuperuser);
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 70cea9d..c57ef3a 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -20,6 +20,7 @@ #include <net/tcp.h>
   /* From af_inet.c */
   extern int sysctl_ip_nonlocal_bind;
+extern int sysctl_ip_allow_lowport_bind_nonsuperuser;
  #ifdef CONFIG_SYSCTL
  static int zero;
@@ -197,6 +198,14 @@ ctl_table ipv4_table[] = {
  		.proc_handler	= &proc_dointvec
  	},
  	{
+		.ctl_name	= NET_IPV4_ALLOW_LOWPORT_BIND_NONSUPERUSER,
+		.procname	= "allow_lowport_bind_nonsuperuser",
+		.data		= &sysctl_ip_allow_lowport_bind_nonsuperuser,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec
+	},
+	{
  		.ctl_name	= NET_IPV4_TCP_SYN_RETRIES,
  		.procname	= "tcp_syn_retries",
  		.data		= &sysctl_tcp_syn_retries,


Signed-off-by: William Pitcock <nenolod@...eme.org>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ