From 424242424242424242@j-f.dk Fri Jan  3 22:28:12 2003
Date: Wed, 1 Jan 2003 15:39:22 +0100
From: Jesper FA <424242424242424242@j-f.dk>
Reply-To: vserver@solucorp.qc.ca
To: vserver@solucorp.qc.ca
Subject: Re: [vserver] Again: bind 0.0.0.0 w/o permission

On Monday 30 December 2002 16:39, Gerrit Hoetzel wrote:

I did notice your post on the 26th and it made me look further into the 
problem and I discovered that when you call netcat with an IP or port number 
it creates a socket, binds to the IP/port given and then listens. But if you 
call netcat without an IP or port it just creates a socket and then calls 
listen to bind any IP (0.0.0.0) and get a random port and this is where it 
goes wrong.
I then looked into the kernel patch and noticed than when bind is called 
inside a vserver the IP's are limited based on what IP's the process is 
limited to (the IP's of the vserver). No changes are apparently made to 
listen. When a socket is created no limiting is done. This all works find if 
you call create socket, bind, listen as most programs do.
But as we both have discovered some programs do want a random port on any IP 
and just calls create socket, listen. The problem is then that the newly 
created socket is not limited and as listen does not check anything it binds 
to all IP's on the box.

I have attached a patch which I believe fixes the problem by limiting a socket 
at creation time. But as it is my first ever published kernel patch and I 
(yet) don't understand everything that goes on in the kernel I might have 
missed something.

Having done this I also have a question. Is there any good reason to handle 1 
IP and 2 or more IP's as separate cases?
It uses a bit less memory.. but there are more code => greater chance of 
error, less test. And why not show bind any as 0.0.0.0 when there is only one 
IP.

-- 
Jesper
  2:31pm  up 7 days, 22:21,  2 users,  load average: 1.16, 1.03, 1.01

    [ Part 2, Text/X-DIFF (Name: "ctx16-p1-2.diff")  37 lines. ]
    [ Unable to print this part. ]