Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

raw sockets can't be disabled #307

Closed
ntinti opened this issue Jul 10, 2018 · 3 comments
Assignees

Comments

@ntinti
Copy link

@ntinti ntinti commented Jul 10, 2018

FreeBSD version ( uname -a ): 11.2 Release
CBSD version ( cbsd version ): 11.2.0

Per default on FreeBSD allow.raw_sockets is disabled. CBSD enable it as default without the possibility to switch it off, there is no config setting, only "cbsd makeconf" shows that it is there.

     allow.raw_sockets
		     The jail root is allowed to create	raw sockets.  Setting
		     this parameter allows utilities like ping(8) and
		     traceroute(8) to operate inside the jail.	If this	is
		     set, the source IP	addresses are enforced to comply with
		     the IP address bound to the jail, regardless of whether
		     or	not the	IP_HDRINCL flag	has been set on	the socket.
		     Since raw sockets can be used to configure	and interact
		     with various network subsystems, extra caution should be
		     used where	privileged access to jails is given out	to
		     untrusted parties.
@olevole olevole self-assigned this Jul 10, 2018
@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Jul 10, 2018

3737351
e28c28f

open question: we need to choose the default value

olevole added a commit that referenced this issue Jul 10, 2018
change default value to 0, off
todo: migration script to leave old env untouchable
Issue #307
@ntinti

This comment has been minimized.

Copy link
Author

@ntinti ntinti commented Jul 10, 2018

Top :-)

@ntinti ntinti closed this Jul 10, 2018
olevole added a commit that referenced this issue Jul 10, 2018
add special warning for migration scripts;
show options in jconstruct-tui; allow modify on-the-fly via jset/jconfig;
Issue #307
@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Jul 28, 2018

commited to ports as 11.2.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.