From: Tobias DiPasquale <codeslinger@gmail.com>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: kernel-2.6: ipsec without devices
Date: Thu, 5 Aug 2004 12:35:41 -0400 [thread overview]
Message-ID: <876ef97a040805093570c8d2c@mail.gmail.com> (raw)
In-Reply-To: <1091720922.14493.16.camel@moola.futuresource.com>
On Thu, 05 Aug 2004 10:48:43 -0500, Les Mikesell <les@futuresource.com> wrote:
> But it still makes as much sense to require open() to pass the
> access control restrictions as it does for every other device.
It ceases to make sense once you realize that you are not opening the
"device", per se, but simply a socket that is bourne by said device.
Character and block devices use open() to open the device itself. A
network device is "always on", so to speak, and you use socket() to
create a communications channel through that device.
> I was very surprised when I first saw that Linux
> omitted such a basic basic security concept of unix (all the
> magic happens in open()). As far as the network goes, it is
> the same thing as Lindows/Linspire defaulting to letting everyone
> run as root.
I see your point. But this interface was designed over 20 years ago by
the BSD team and it certainly made sense from their perspective to
create a new set of system calls because this type of device did not
neatly fit into the "everything is a file" paradigm that UNIX uses.
But, clearly, it would be a great benefit if you could set your eth0
to 0600 root:root and prevent regular users from abusing the network
card.
The question is, though, what would doing that actually mean? I
believe the impediment to this solution is that the card signals the
kernel of incoming packets with no warning, and thus checking the user
permissions is not possible since the handling of network devices
happens all in interrupt context (i.e. not on behalf of a particular
user). As well, the datalink, network and transport layers have no
concept of user permissions or ownership and you couldn't tack one on
without implementing a global authentication scheme that everyone
involved adheres to.
--
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d
prev parent reply other threads:[~2004-08-05 16:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-05 9:33 kernel-2.6: ipsec without devices richard lucassen
2004-08-05 10:09 ` Antony Stone
2004-08-05 10:25 ` richard lucassen
2004-08-05 12:35 ` Les Mikesell
2004-08-05 13:05 ` Tobias DiPasquale
2004-08-05 15:48 ` Les Mikesell
2004-08-05 16:35 ` Tobias DiPasquale [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=876ef97a040805093570c8d2c@mail.gmail.com \
--to=codeslinger@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.