From nobody@FreeBSD.org  Thu Mar 25 02:39:45 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2C0B016A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Mar 2004 02:39:45 -0800 (PST)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2700C43D2F
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Mar 2004 02:39:45 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i2PAdi72050340
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 25 Mar 2004 02:39:45 -0800 (PST)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.10/8.12.10/Submit) id i2PAdiiP050339;
	Thu, 25 Mar 2004 02:39:44 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200403251039.i2PAdiiP050339@www.freebsd.org>
Date: Thu, 25 Mar 2004 02:39:44 -0800 (PST)
From: Grant Millar <co0lkizz@btinternet.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: UID/GID matching in ipfw non-functional
X-Send-Pr-Version: www-2.3

>Number:         64694
>Category:       kern
>Synopsis:       [ipfw] UID/GID matching in ipfw non-functional
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 25 02:40:15 PST 2004
>Closed-Date:    Sat Jul 30 00:52:06 GMT 2005
>Last-Modified:  Sat Jul 30 00:52:06 GMT 2005
>Originator:     Grant Millar
>Release:        4.9-RELEASE
>Organization:
Uneix Internet Services
>Environment:
FreeBSD uneix.com 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Thu Mar 25 08:22:06 CST 2004     fdc@box.domain.com:/usr/src/sys/compile/GENERIC  i386
 
>Description:
      When adding the following rules uid matching on ipfw is totally 
ignored as we can see no packets are getting through on the ip with 
uid maching enabled, packets are allowed in but not out.

00100     3     144 allow tcp from any to 66.X.X.2
00200     0       0 allow tcp from 66.X.X.2 to any uid root
00300     3     132 deny tcp from 66.X.X.2 to any
65535 28440 2522637 allow ip from any to any

Clearly you can see this is a substantial problem as now we cannot
restrict access to ip's which could cause problems, i've also tried to
solve this problem by upgrading to 5.2.1-RELEASE but had exactly the
same problem.

>How-To-Repeat:
      
>Fix:
      
>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: Grant Millar <co0lkizz@btinternet.com>
Cc: bug-followup@freebsd.org
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Fri, 26 Mar 2004 22:29:39 +0300 (MSK)

 On Thu, 25 Mar 2004, 02:39-0800, Grant Millar wrote:
 
 [...]
 > >Description:
 >       When adding the following rules uid matching on ipfw is totally
 > ignored as we can see no packets are getting through on the ip with
 > uid maching enabled, packets are allowed in but not out.
 >
 > 00100     3     144 allow tcp from any to 66.X.X.2
 > 00200     0       0 allow tcp from 66.X.X.2 to any uid root
 > 00300     3     132 deny tcp from 66.X.X.2 to any
 > 65535 28440 2522637 allow ip from any to any
 >
 > Clearly you can see this is a substantial problem as now we cannot
 > restrict access to ip's which could cause problems, i've also tried to
 > solve this problem by upgrading to 5.2.1-RELEASE but had exactly the
 > same problem.
 
 Are you sure the traffic from 66.X.X.2 is coming to a socket owned by
 root?  Moreover uid matching working for me on 5.2-CURRENT:
 
 # ipfw sh 8000
 08000    39    7626 count tcp from 195.128.64.0/24 to any uid maxim
 08000     2     168 count tcp from 195.128.64.0/24 to any uid root
 # sleep 10 && ipfw sh 8000
 08000   397   83906 count tcp from 195.128.64.0/24 to any uid maxim
 --------------^^^^^ my ssh session
 
 08000     2     168 count tcp from 195.128.64.0/24 to any uid root
 
 -- 
 Maxim Konovalov

From: Kris Kennaway <kris@obsecurity.org>
To: Grant Millar <co0lkizz@btinternet.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Fri, 26 Mar 2004 20:04:19 -0800

 --98e8jtXdkpgskNou
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Thu, Mar 25, 2004 at 02:39:44AM -0800, Grant Millar wrote:
 
 > >Description:
 >       When adding the following rules uid matching on ipfw is totally=20
 > ignored as we can see no packets are getting through on the ip with=20
 > uid maching enabled, packets are allowed in but not out.
 >=20
 > 00100     3     144 allow tcp from any to 66.X.X.2
 > 00200     0       0 allow tcp from 66.X.X.2 to any uid root
 > 00300     3     132 deny tcp from 66.X.X.2 to any
 > 65535 28440 2522637 allow ip from any to any
 >=20
 > Clearly you can see this is a substantial problem as now we cannot
 > restrict access to ip's which could cause problems, i've also tried to
 > solve this problem by upgrading to 5.2.1-RELEASE but had exactly the
 > same problem.
 
 You forgot to mention details of your network configuration, and how
 you are testing this.  It's possible your expectations are wrong.
 
 Kris
 
 --98e8jtXdkpgskNou
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.4 (FreeBSD)
 
 iD8DBQFAZP1DWry0BWjoQKURAq2VAKDNy3oFG/daPf29fvsd74Xrqx0unwCg+hdb
 GKxi5zf1CYCHiDL+sA0sIi8=
 =icbO
 -----END PGP SIGNATURE-----
 
 --98e8jtXdkpgskNou--

From: "Grant Millar" <Co0lkizz@btinternet.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <co0lkizz@btinternet.com>
Cc:  
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Sat, 27 Mar 2004 10:14:16 -0000

 My current network configuration I have kept simple to ensure that this
 could not
 be a problem. 66.X.X.2 is an alias of fxp0,
 
 defaultrouter="66.X.X.225"
 hostname="uneix.com"
 ifconfig_fxp0="inet 66.X.X.236  netmask 255.255.255.224"
 ifconfig_fxp0_alias0="inet 66.X.X.2  netmask 255.255.255.255"
 firewall_enable="YES"
 kern_securelevel_enable="NO"
 linux_enable="YES"
 nfs_reserved_port_only="YES"
 sendmail_enable="YES"
 sshd_enable="YES"
 usbd_enable="YES"
 
 ifconfig shows this to be working correctly,
 uneix# ifconfig
 fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         inet 66.90.89.236 netmask 0xffffffe0 broadcast 66.90.89.255
         inet6 fe80::250:8bff:fe67:da46%fxp0 prefixlen 64 scopeid 0x1
 	  inet 66.X.X.2 netmask 0xffffffff broadcast 66.X.X.2
 
 Also traffic gets through if I take out the uid,
 uneix# ipfw sh
 00100     64      6804 allow tcp from 66.X.X.2 to any
 00200     88      5152 allow tcp from any to 66.X.X.2
 00300      0         0 deny tcp from 66.X.X.2 to any
 65535 336537 151671807 allow ip from any to any
 
 httpd     208  root   16u  IPv4 0xdcd94dc0      0t0  TCP *:http (LISTEN)
 sshd      134  root    4u  IPv4 0xdcd8ae00      0t0  TCP *:ssh (LISTEN)
                ^^^^ sshd & httpd are listening on a root socket.
 
 Just to make sure this is not the problem the user we want to ssh with
 is added,
 uneix# ipfw sh
 00100      0         0 allow tcp from 66.X.X.2 to any uid root
 00110      0         0 allow tcp from 66.X.X.2 to any uid admin
 00200     93      5392 allow tcp from any to 66.X.X.2
 00300      5       220 deny tcp from 66.X.X.2 to any
 65535 338579 151962909 allow ip from any to any
 
 As you can see it is still denying the packets from both http and ssh.
 
 Grant
 

From: "Grant Millar" <Co0lkizz@btinternet.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <co0lkizz@btinternet.com>
Cc:  
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Sat, 27 Mar 2004 10:46:10 -0000

 Also to test this further the following rules were implemented;
 
 uneix# ipfw sh
 00100     57      6148 allow tcp from 66.90.98.2 to any uid root
 00110      0         0 allow tcp from 66.90.98.2 to any uid admin
 00210     76      4560 allow tcp from any to 66.90.98.2
 65535 343883 152658276 allow ip from any to any
 
 As you can see without the deny ssh is getting through on the uid root
 rule,
 
 When we add the deny rule;
 
 uneix# ipfw sh
 00100     57      6148 allow tcp from 66.90.98.2 to any uid root
 00110      0         0 allow tcp from 66.90.98.2 to any uid admin
 00210     83      4880 allow tcp from any to 66.90.98.2
 00310      5       220 deny tcp from 66.90.98.2 to any
 65535 344754 152866998 allow ip from any to any
 
 Lets see what the logs say by implementing the following rules,
 uneix# ipfw sh
 00100      0         0 allow log tcp from 66.90.98.2 to any uid root
 00200      0         0 allow log tcp from 66.90.98.2 to any uid admin
 00300      6       288 allow tcp from any to 66.90.98.2
 00400      6       264 deny log tcp from 66.90.98.2 to any
 65535 346401 153038817 allow ip from any to any
 
 Mar 27 10:37:18 uneix /kernel: ipfw: 400 Deny TCP 66.90.98.2:22
 81.128.227.64:22802 out via fxp0
 Mar 27 10:37:27 uneix last message repeated 2 times
 Mar 27 10:38:19 uneix /kernel: ipfw: 400 Deny TCP 66.90.98.2:80
 81.128.227.64:22803 out via fxp0
 Mar 27 10:38:28 uneix last message repeated 2 times
 
 Just shows that all packets are being denied.
 
 When the uid is taken out,
 uneix# ipfw sh
 00100     59      3620 allow tcp from any to 66.90.98.2
 00200     40      5196 allow log tcp from 66.90.98.2 to any
 00300      0         0 deny log tcp from 66.90.98.2 to any
 65535 347770 153146748 allow ip from any to any
 
 Mar 27 10:41:33 uneix /kernel: ipfw: 200 Accept TCP 66.90.98.2:22
 81.128.227.64:22804 out via fxp0
 Mar 27 10:41:51 uneix last message repeated 39 times
 
 The packets are accepted.
 
 Here is the ssh socket showing it owned by root;
 sshd     4722  root    5u  IPv4 0xdcd94940      0t0  TCP
 66.90.98.2:ssh->host81-128-227-64.inaddr.btopenworld.com:22804
 (ESTABLISHED)
 
 Grant
 

From: Robert Watson <rwatson@FreeBSD.org>
To: Grant Millar <Co0lkizz@btinternet.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Mon, 29 Mar 2004 13:33:21 -0500 (EST)

 On Sat, 27 Mar 2004, Grant Millar wrote:
 
 >  Here is the ssh socket showing it owned by root;
 >  sshd     4722  root    5u  IPv4 0xdcd94940      0t0  TCP
 >  66.90.98.2:ssh->host81-128-227-64.inaddr.btopenworld.com:22804
 >  (ESTABLISHED)
 
 sshd and httpd sockets are owned by root because these daemons bind the
 sockets while running with root privilege, and the "owner" of a socket is
 its creator.  This is a necessary evil for at least a couple of reasons,
 including the following: a single socket may be referenced by many
 processes, and therefore there is no notion of a "current process using
 socket", so the only consistent notion is the creator.  This was an
 intentional design choice by the designers of the sockets API, who chose
 to represent network endpoints as file-like objects, and the existing UNIX
 APIs allow file object references to be inheritted and transfered from
 process to process (and be shared).
 
 There's arguably a bug, however, in sshd: while the primary port 22
 binding is necessarily created by a root process due to the UNIX notion of
 privilege, the SHS "forwarded ports" do *not* need to be bound by the root
 user.  It's a bug in sshd that it creates the sockets before switching to
 the user credential; I've previously reported this bug to the SSH authors
 but have not seen a response on that. 
 
 Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
 robert@fledge.watson.org      Senior Research Scientist, McAfee Research
 

From: "Grant Millar" <Co0lkizz@btinternet.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <co0lkizz@btinternet.com>
Cc:  
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Mon, 29 Mar 2004 23:37:44 +0100

 This is a multi-part message in MIME format.
 
 ------=_NextPart_000_0001_01C415E6.D66CEA60
 Content-Type: text/plain;
 	charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 
 Ok so still no clarification as to whether this is an ipfw bug. I've
 also tried trying 
 
 to match the uid to the current user whom is running the process as well
 as root.
 
  
 
 00100  1086   99590 allow ip from 66.90.98.2 to any uid root
 
 00200  1556   83728 allow ip from any to 66.90.98.2 in
 
 00400     0       0 deny ip from 66.90.98.2 to any uid root
 
 00500   107   14366 deny ip from 66.90.98.2 to any uid admin
 
 65535 32314 3262298 allow ip from any to any
 
  
 
 Seems to be able to deny if a uid is specified so why not any?
 
  
 
 Grant
 
 
 ------=_NextPart_000_0001_01C415E6.D66CEA60
 Content-Type: text/html;
 	charset="us-ascii"
 Content-Transfer-Encoding: quoted-printable
 
 <html>
 
 <head>
 <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
 charset=3Dus-ascii">
 
 <meta name=3D"Microsoft Theme 2.00" content=3D"Paw Print.htm 011">
 
 <meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">
 
 <style>
 <!--
  /* Style Definitions */
  p.MsoNormal, li.MsoNormal, div.MsoNormal
 	{margin:0cm;
 	margin-bottom:.0001pt;
 	font-size:12.0pt;
 	font-family:Arial;}
 a:link, span.MsoHyperlink
 	{color:blue;
 	text-decoration:underline;}
 a:visited, span.MsoHyperlinkFollowed
 	{color:purple;
 	text-decoration:underline;}
 span.EmailStyle17
 	{font-family:Arial;
 	color:windowtext;}
 @page Section1
 	{size:595.3pt 841.9pt;
 	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
 div.Section1
 	{page:Section1;}
 -->
 </style>
 
 </head>
 
 <body lang=3DEN-GB link=3Dblue vlink=3Dpurple>
 
 <div class=3DSection1>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>Ok so
 still no clarification as to whether this is an ipfw bug. I&#8217;ve =
 also tried
 trying </span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>to
 match the uid to the current user whom is running the process as well as =
 root.</span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>&nbsp;</span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>00100&nbsp;
 1086&nbsp;&nbsp; 99590 allow ip from 66.90.98.2 to any uid =
 root</span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>00200&nbsp;
 1556&nbsp;&nbsp; 83728 allow ip from any to 66.90.98.2 =
 in</span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>00400&nbsp;&nbsp;&nbsp;&nbsp;
 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 deny ip from 66.90.98.2 to any =
 uid root</span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>00500&nbsp;&nbsp;
 107&nbsp;&nbsp; 14366 deny ip from 66.90.98.2 to any uid =
 admin</span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>65535
 32314 3262298 allow ip from any to any</span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>&nbsp;</span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>Seems
 to be able to deny if a uid is specified so why not =
 any?</span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>&nbsp;</span></font></p>
 
 <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
 style=3D'font-size:10.0pt'>Grant</span></font></p>
 
 </div>
 
 </body>
 
 </html>
 
 ------=_NextPart_000_0001_01C415E6.D66CEA60--
 

From: "Grant Millar" <Co0lkizz@btinternet.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <co0lkizz@btinternet.com>
Cc:  
Subject: Re: misc/64694: UID/GID matching in ipfw non-functional
Date: Mon, 5 Apr 2004 03:30:08 +0100

 Has anyone had a chance to look at this problem yet, any ideas?
 
 Grant
 
State-Changed-From-To: open->feedback 
State-Changed-By: bms 
State-Changed-When: Fri Jun 18 03:50:00 GMT 2004 
State-Changed-Why:  
csjp@ recently committed rev 1.62 of src/sys/netinet/ip_fw2.c which 
appears to make significant changes in this area. Can submitter 
please test the changes and see if they fix the issues they've been 
experiencing? Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=64694 
Responsible-Changed-From-To: freebsd-bugs->ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Aug 31 00:34:31 GMT 2004 
Responsible-Changed-Why:  
Over to ipfw mailing list to track progress. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=64694 
State-Changed-From-To: feedback->closed 
State-Changed-By: kris 
State-Changed-When: Sat Jul 30 00:51:58 GMT 2005 
State-Changed-Why:  
Feedback timeout 

http://www.freebsd.org/cgi/query-pr.cgi?pr=64694 
>Unformatted:
