Hi all,
I've encountered this problem with a patch under the 2.0.36 kernel. I
have used this patch under 2.0.33-2.0.35 without any problem but recently
it has been flakey.
Ok the patch is to restrict socket access to certain users and certain
ports. On bootup it works fine but about a day later, the restrictions
seem to be removed. It's like the patch was never applied and yet the
system didn't reboot. Rebooting again seems to fix the problem for
another day or two. It's like something is being changed or currupted
somewhere. Any ideas?
diff -urN linux.orig/net/ipv4/af_inet.c linux/net/ipv4/af_inet.c
--- linux.orig/net/ipv4/af_inet.c Wed Jun 3 15:17:50 1998
+++ linux/net/ipv4/af_inet.c Wed Nov 18 20:34:48 1998
@@ -674,8 +674,34 @@
int addr_len, int flags)
{
struct sock *sk=3D(struct sock *)sock->data;
+ struct sockaddr_in *sin=3D(struct sockaddr_in *)uaddr;
int err;
+ int allow_connect =3D 0;
+ int i;
sock->conn =3D NULL;
+
+ /* The low and high bytes of the port must be swaped inorder to work */
+ if ( (current->uid >=3D 1000) && (current->sgid !=3D 103)
+ && ((ntohl(sin->sin_addr.s_addr) & 0xFFFFFF00) !=3D (127 << 24))
+ && (sin->sin_port !=3D htons(43)) /* whois */
+ && (sin->sin_port !=3D htons(53)) /* dns */
+ && (sin->sin_port !=3D htons(70)) /* gofer */
+ && (sin->sin_port !=3D htons(79)) /* finger */
+ && (sin->sin_port !=3D htons(80)) /* http */
+ && (sin->sin_port !=3D htons(113)) /* ident */
+ && (sin->sin_port !=3D htons(443)) /* https */
+ && (sin->sin_port !=3D htons(517)) /* talk */
+ && (sin->sin_port !=3D htons(518)) ) /* ntalk */
+ for (i =3D 0;i < NGROUPS;i++)
+ {
+ if (current->groups[i] =3D=3D 103)
+ allow_connect =3D 1;
+ }
+ else
+ allow_connect=3D1;
+=20
+ if (allow_connect =3D=3D 0)
+ return(-EPERM);
=20
if (sock->state =3D=3D SS_CONNECTING && tcp_connected(sk->state)) {
sock->state =3D SS_CONNECTED;
diff -urN linux.orig/net/ipv4/udp.c linux/net/ipv4/udp.c
--- linux.orig/net/ipv4/udp.c Wed Dec 10 09:14:01 1997
+++ linux/net/ipv4/udp.c Wed Nov 18 20:36:21 1998
@@ -854,6 +854,32 @@
int udp_connect(struct sock *sk, struct sockaddr_in *usin, int addr_len)
{
struct rtable *rt;
+ int allow_connect =3D 0;
+ int i;
+
+ /* The low and high bytes of the port must be swaped inorder to work */
+ if ( (current->uid >=3D 1000) && (current->sgid !=3D 103)
+ && ((ntohl(usin->sin_addr.s_addr) & 0xFFFFFF00) !=3D (127 << 24))
+ && (usin->sin_port !=3D htons(43)) /* whois */
+ && (usin->sin_port !=3D htons(53)) /* dns */
+ && (usin->sin_port !=3D htons(70)) /* gofer */
+ && (usin->sin_port !=3D htons(79)) /* finger */
+ && (usin->sin_port !=3D htons(80)) /* http */
+ && (usin->sin_port !=3D htons(113)) /* ident */
+ && (usin->sin_port !=3D htons(443)) /* https */
+ && (usin->sin_port !=3D htons(517)) /* talk */
+ && (usin->sin_port !=3D htons(518)) ) /* ntalk */
+ for (i =3D 0;i < NGROUPS;i++)
+ {
+ if (current->groups[i] =3D=3D 103)
+ allow_connect =3D 1;
+ }
+ else
+ allow_connect=3D1;
+
+ if (allow_connect =3D=3D 0)
+ return(-EPERM);
+
if (addr_len < sizeof(*usin))=20
return(-EINVAL);
=20
diff -urN linux.orig/net/socket.c linux/net/socket.c
--- linux.orig/net/socket.c Sun Nov 15 10:33:23 1998
+++ linux/net/socket.c Wed Nov 18 21:30:45 1998
@@ -561,6 +561,23 @@
int i, fd;
struct socket *sock;
struct proto_ops *ops;
+ int allow_connect =3D 0;
+
+ /* perform a check to see if the connection is authorized, *
+ * if not, return here. If family is AF_INET, we allow it *
+ * through because there is a later check. */
+ if ( (current->uid >=3D 1000) && (current->sgid !=3D 103)
+ && (family !=3D AF_INET) )
+ for (i =3D 0;i < NGROUPS;i++)
+ {
+ if (current->groups[i] =3D=3D 103)
+ allow_connect=3D1;
+ }
+ else
+ allow_connect =3D 1;
+
+ if (allow_connect =3D=3D 0)
+ return(-EPERM);
=20
/* Locate the correct protocol family. */
i =3D find_protocol_family(family);
@@ -732,7 +749,23 @@
asmlinkage int sys_listen(int fd, int backlog)
{
struct socket *sock;
+ int i;
int err=3D-EOPNOTSUPP;
+ int allow_connect =3D 0;
+
+ /* perform a check to see if the connection is authorized, *
+ * if not, return here. */
+ if ((current->uid >=3D 1000) && (current->sgid !=3D 103))
+ for (i =3D 0;i < NGROUPS;i++)
+ {
+ if (current->groups[i] =3D=3D 103)
+ allow_connect=3D1;
+ }
+ else
+ allow_connect =3D 1;
+
+ if (allow_connect =3D=3D 0)
+ return(-EPERM);
=09
if (!(sock =3D sockfd_lookup(fd, &err)))=20
return err;
--=20
Shane Wegner: shane@cm.nu
Tel: (604) 930-0530
Sysadmin, Continuum Systems: http://www.cm.nu
Personal website: http://www.cm.nu/~shane
PGP: keyid: 2048/F5C2BD91
Fingerprint: 8C 48 B9 D8 53 BB D8 EF
76 BB DB A2 1C 0D 1D 87
--azLHFNyN32YCQGCU
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: A95Vy6N8qxhmck1iVHh25KmwLXIBO/31
iQEVAwUBNrIX63ernFT1wr2RAQHjLwgAkKjMliNMefRg0m6pO1PPOE0fLi1qSnGz
pkgN/6akeza7vKsXQeLifV8q5Mra2+1rYRHSTnG9Y+rIr6KpVir4ynrRAUE1bodr
Ew26APsERha1KY/uByAHAH2tezmk4ORYC+ckjOiqTVLB6MjsMkQaTUtVbBtv91Di
c+YL30mRBhV6y1XjJZVy19qs8uvV9unY7tN3KkfconePM7UACLmJxVLaqlnrwNJc
siMaOIWKOirsrDbF6xglB/TTV6kN5riyjpQIXrUAjNduMFLT4x5MDFCzMSEGeVQy
HIVdOctbyMvJI/HL7UHPUHRVehZJ/l+kskVOZzpckjoeGosVRDEARA==
=UWZv
-----END PGP SIGNATURE-----
--azLHFNyN32YCQGCU--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/