[1803] in linux-security and linux-alert archive
[linux-security] Re: Re: Configuration for binding to "secure" ports?
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Fri May 29 12:26:35 1998
Date: Fri, 29 May 1998 14:15:10 +0200
From: Olaf Kirch <okir@monad.swb.de>
In-reply-to: "Your message of Fri, 29 May 1998 11:26:37 +0200."
<Pine.LNX.3.95.980529110511.21258E-100000@kerberos.troja.mff.cuni.cz>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
On Fri, 29 May 1998 11:26:37 +0200, Pavel Kankovsky wrote:
> Well, you could also modify bind() to pass the socket (using BSD-like
> unix-domain socket magic) to a privileged "binder daemon" and let it
> decide whether you are allowed to bind it to the given port--and do it
> itself if you are.
I've toyed with this idea for some time... 2.1 offers a feature by
which the kernel passes your uid/gid to the unix socket peer upon connect.
This neatly solves the problem of authenticating anyone connecting to
a unix socket.
While the new capabilities stuff definitely does it better for binding to
a privileged port, other services (e.g. opening a modem port; writing
utmp) might still benefit from this.
Olaf
--
/d{def}def/D{dup}d/X{exch}d/L{length}d/-{sub}d/+{add}d/R{D D 0 ge X 26 le and}d
/C{13 + 26 mod}d/_{D L string/. X d . cvs 0 X L 1 X 1 -{D . X get 65 - R{C}{32
- R{C}if 32 +}ifelse 65 + . 3 1 roll put}for .}d/N{_ cvn}d/x{N cvx exec}d
/reebeqvpg x/haqrsvarq N{cvlit _ show}put 240 360 /zbirgb x/Uryirgvpn N
/svaqsbag x 12/fpnyrsbag x/frgsbag x bxve@zbanq.fjo.qr/fubjcntr x
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null