Date: Fri, 3 Jan 1997 10:34:34 +1100 (EST) From: Julian Assange <proff@iq.org> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: hackers@freebsd.org Subject: Re: file locking / firewalling based on uid/gid Message-ID: <199701022334.KAA16149@profane.iq.org> In-Reply-To: <199701022258.JAA15669@profane.iq.org> from Darren Reed at "Jan 3, 97 09:57:02 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> In some mail from Julian Assange, sie said: > [...] > > # ipfw add pass tcp from any to any established gid inetd > > # ipfw add padd tcp from any to any 21,79 setup in gid inetd > > I don't think that is a good way (or the right place) to do access control > for TCP/IP. Firstly, on a gateway, not all TCP packets are likely to have > a gid (or for there to be one which is "findable") and secondly, where > the current hooks are, you will cause two tcpb lookups to occur for the > same packet. Bypassed these limitations by hooking input firewall checks into the individual proto_sw routines just after the tcbp hash lookups. Requires two scans of the firewall rule-set for inbound host packets, but this has almost no overhead, because the first scan doesn't do the checks of the second and vica-versa. The ipfw rule-set flows sequentially without jumps, permitting this optimisation to work. Output checks were unified by comparison, requiring only the passing of (the new) socket credential information into ip_output(), where it is passed onto the regular fw hook. > I think it would be cool to be able to do: > > # mknod /dev/tcp/21 c major#_for_tcp 21 > # chgrp inetd /dev/tcp/21 > # mknod /dev/tcp/79 c major#_for_tcp 79 > # chgrp inetd /dev/tcp/79 > # mknod /dev/tcp/25 c major#_for_tcp 25 > # chown uucp.mail /dev/tcp/25 > # chmod 770 /dev/tcp/25 > (who needs sendmail to run as root now ?!) > > and have open() calls on those devices create sockets. > > sockfs anyone ? I'm all for the everything-is-a-file and the file-system name space philosophy of Unix, which has unfortunately been badly corroded over the years. See VSTa or plan9 for how file system name spaced should be managed. That said, my ipfw-socket-credential implementation has a lot more power and flexibility than /dev/tcp/etc which really just solves the binding() issue and doesn't do anything to address covert channels. Cheers, Julian <proff@iq.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701022334.KAA16149>