From owner-freebsd-hackers Thu Jan 2 14:57:20 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA10127 for hackers-outgoing; Thu, 2 Jan 1997 14:57:20 -0800 (PST) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA10122 for ; Thu, 2 Jan 1997 14:57:16 -0800 (PST) Message-Id: <199701022257.OAA10122@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA007195822; Fri, 3 Jan 1997 09:57:02 +1100 From: Darren Reed Subject: Re: file locking / firewalling based on uid/gid To: proff@iq.org (Julian Assange) Date: Fri, 3 Jan 1997 09:57:02 +1100 (EDT) Cc: hackers@FreeBSD.ORG In-Reply-To: <199701021041.VAA11426@profane.iq.org> from "Julian Assange" at Jan 2, 97 09:41:37 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Julian Assange, sie said: [...] > # ipfw add pass tcp from any to any established gid inetd > # ipfw add padd tcp from any to any 21,79 setup in gid inetd I don't think that is a good way (or the right place) to do access control for TCP/IP. Firstly, on a gateway, not all TCP packets are likely to have a gid (or for there to be one which is "findable") and secondly, where the current hooks are, you will cause two tcpb lookups to occur for the same packet. I think it would be cool to be able to do: # mknod /dev/tcp/21 c major#_for_tcp 21 # chgrp inetd /dev/tcp/21 # mknod /dev/tcp/79 c major#_for_tcp 79 # chgrp inetd /dev/tcp/79 # mknod /dev/tcp/25 c major#_for_tcp 25 # chown uucp.mail /dev/tcp/25 # chmod 770 /dev/tcp/25 (who needs sendmail to run as root now ?!) and have open() calls on those devices create sockets. sockfs anyone ? Darren p.s. yes, netinet is nearly (not completely) in the splnet() cloud for BSD, which may have something to do with why Sun rewrote it for Solaris2.