Date: Thu, 2 Jan 1997 20:43:19 -0800 (PST) From: "Jonathan M. Bresler" <jmb> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: proff@iq.org, hackers@FreeBSD.ORG Subject: Re: file locking / firewalling based on uid/gid Message-ID: <199701030443.UAA28355@freefall.freebsd.org> In-Reply-To: <199701022257.OAA10122@freefall.freebsd.org> from "Darren Reed" at Jan 3, 97 09:57:02 am
next in thread | previous in thread | raw e-mail | index | archive | help
Darren Reed wrote: > > In some mail from Julian Assange, sie said: > [...] > > # ipfw add pass tcp from any to any established gid inetd > > # ipfw add padd tcp from any to any 21,79 setup in gid inetd > > I don't think that is a good way (or the right place) to do access control > for TCP/IP. Firstly, on a gateway, not all TCP packets are likely to have > a gid (or for there to be one which is "findable") and secondly, where > the current hooks are, you will cause two tcpb lookups to occur for the > same packet. > > I think it would be cool to be able to do: > > # mknod /dev/tcp/21 c major#_for_tcp 21 > # chgrp inetd /dev/tcp/21 > # mknod /dev/tcp/79 c major#_for_tcp 79 > # chgrp inetd /dev/tcp/79 > # mknod /dev/tcp/25 c major#_for_tcp 25 > # chown uucp.mail /dev/tcp/25 > # chmod 770 /dev/tcp/25 > (who needs sendmail to run as root now ?!) > > and have open() calls on those devices create sockets. > > sockfs anyone ? stevens and pendry called this "portals" 4.4BSD book pages 237,8 usenix proceedings jan '95 p1-10 http://www.usenix.org/publications/library/proceedings/neworl/full_papers/stevens.ps apply standard access control to the portals. sendmail is uid/gid "sendmail" chown sendmail.sendmail /p/net/tcp/localhost/25 chmod 600 /p/net/tcp/localhost/25 jmb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701030443.UAA28355>