Date: Fri, 3 Jan 1997 09:57:02 +1100 (EDT) From: Darren Reed <avalon@coombs.anu.edu.au> To: proff@iq.org (Julian Assange) Cc: hackers@FreeBSD.ORG Subject: Re: file locking / firewalling based on uid/gid Message-ID: <199701022257.OAA10122@freefall.freebsd.org> In-Reply-To: <199701021041.VAA11426@profane.iq.org> from "Julian Assange" at Jan 2, 97 09:41:37 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Julian Assange, sie said:
[...]
> # ipfw add pass tcp from any to any established gid inetd
> # ipfw add padd tcp from any to any 21,79 setup in gid inetd
I don't think that is a good way (or the right place) to do access control
for TCP/IP. Firstly, on a gateway, not all TCP packets are likely to have
a gid (or for there to be one which is "findable") and secondly, where
the current hooks are, you will cause two tcpb lookups to occur for the
same packet.
I think it would be cool to be able to do:
# mknod /dev/tcp/21 c major#_for_tcp 21
# chgrp inetd /dev/tcp/21
# mknod /dev/tcp/79 c major#_for_tcp 79
# chgrp inetd /dev/tcp/79
# mknod /dev/tcp/25 c major#_for_tcp 25
# chown uucp.mail /dev/tcp/25
# chmod 770 /dev/tcp/25
(who needs sendmail to run as root now ?!)
and have open() calls on those devices create sockets.
sockfs anyone ?
Darren
p.s. yes, netinet is nearly (not completely) in the splnet() cloud for BSD,
which may have something to do with why Sun rewrote it for Solaris2.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701022257.OAA10122>