From owner-freebsd-hackers Wed Sep 25 8:53:42 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67CDA37B401 for ; Wed, 25 Sep 2002 08:53:41 -0700 (PDT) Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE1AD43E75 for ; Wed, 25 Sep 2002 08:53:40 -0700 (PDT) (envelope-from mbsd@pacbell.net) Received: from atlas ([64.168.24.134]) by mta6.snfc21.pbi.net (iPlanet Messaging Server 5.1 (built May 7 2001)) with ESMTP id <0H300016D45GP0@mta6.snfc21.pbi.net> for freebsd-hackers@FreeBSD.ORG; Wed, 25 Sep 2002 08:53:40 -0700 (PDT) Date: Wed, 25 Sep 2002 08:53:40 -0700 (PDT) From: =?ISO-8859-1?Q?Mikko_Ty=F6l=E4j=E4rvi?= Subject: Re: Just a wild idea In-reply-to: <20020924174331.A37898@psconsult.nl> To: Paul Schenkeveld Cc: tho , freebsd-hackers@FreeBSD.ORG Message-id: <20020925085046.R17757-100000@atlas.home> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=ISO-8859-1 Content-transfer-encoding: 8BIT Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 24 Sep 2002, Paul Schenkeveld wrote: > Hi Thomas, > > On Tue, Sep 24, 2002 at 01:31:59AM +0200, tho wrote: > > hi Paul, > > > > have you considered using a "file descriptor passing" based technique > > (section 14.7 of Stevens' UNPv1) ? > > > > you may have a process with suser privs which creates file descriptors > > (e.g. socket bind()ed to a particular address and port) on demand and then > > passes back the descriptor to the requesting (unprivileged) process through > > a unix domain socket > > I know this technique but the real issue is about many pieces of > standard software, like BIND named, sendmail, syslogd and so on. > So this technique, although very usable for new projects, will > not solve this problem. As long as the programs are dynamically linked, you can LD_PRELOAD a wrapper for bind() that passes the socket and address information to the privileged process that does the actual bind() call and replies with an errno value. It works. I've done it. $.02, /Mikko Mikko Työläjärvi_______________________________________mikko@rsasecurity.com RSA Security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message