From: Andreas Ferber <aferber@techfak.uni-bielefeld.de>
To: Olaf Dietsche <olaf.dietsche--list.linux-kernel@exmail.de>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [ANNOUNCE][PATCH] New fs to control access to system resources
Date: Wed, 16 Jan 2002 19:51:06 +0100 [thread overview]
Message-ID: <20020116195105.C18039@devcon.net> (raw)
In-Reply-To: <87k7uj61tk.fsf@tigram.bogus.local>
In-Reply-To: <87k7uj61tk.fsf@tigram.bogus.local>; from olaf.dietsche--list.linux-kernel@exmail.de on Tue, Jan 15, 2002 at 05:01:11PM +0100
On Tue, Jan 15, 2002 at 05:01:11PM +0100, Olaf Dietsche wrote:
>
> this is a new file system to control access to system resources.
> Currently it controls access to inet_bind() with ports < 1024 only.
Just some minor notes from reading the source and docs:
- It somewhat collides with the Linux Security Module project
(http://lsm.immunix.org/). LSM is AFAIK very likely to be included
into kernel somewhere in the 2.5 timeframe, so I don't think your
accessfs in its current form will be included into 2.5. Also I don't
think it will be included into 2.4 some time, as it is rather
intrusive. This doesn't mean that I think your work is bogus, but
you should be warned that you will most likely have to maintain it
as a separate patch at least until you port it to LSM (which
probably will not be possible at least in the first phase of LSM -
read the discussions on "restrictive vs. authoritative hooks" in the
LSM mailinglist archives).
- CAP_NET_BIND_SERVICE is ignored completely. IMHO a process with this
capability should still be able to override the accessfs
permissions, otherwise enabling accessfs will break every setup
where CAP_NET_BIND_SERVICE is already used to give non-root
processes access to low ports. At least this should be mentioned in
the docs (and Configure.help entry!), as it means that you can't mix
the accessfs and the capability approach on a machine (e.g. if one
wants to migrate the services on the machine one for one). It also
breaks any network daemons that already use CAP_NET_BIND_SERVICE
internally (don't know of an example, but maybe there are some out
there).
- chown()ing a port to a uid provides this uid also with the ability
to pass on access privileges to others via chmod(). It could be
argued if it is more sensible to restrict changing privileges to
root (maybe CAP_NET_ADMIN is more appropriate?).
And some wishlist items:
- It would be nice if there were a way to distinguish between TCP and
UDP ports.
- IPv6 support would be nice. This raises the question what will
happen if a process has the privileges to bind a particular port
with IPv6 but not with IPv4 (IPv6 listeners take IPv4 connections
also). Is there any value in distinguishing IPv6 and IPv4 at all,
in particular if IPv6 gets into more widespread use in the future?
- Restricting access to certain high ports would be valuable. For
example many SQL server use those ports, and it would be nice if one
could prevent ordinary user processes from taking over their ports
in case the SQL daemon gets restarted or the like.
At least accessfs is a nice and expandable idea. Keep up the work :-)
Andreas
--
Andreas Ferber - dev/consulting GmbH - Bielefeld, FRG
---------------------------------------------------------
+49 521 1365800 - af@devcon.net - www.devcon.net
next prev parent reply other threads:[~2002-01-16 18:52 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-01-15 16:01 [ANNOUNCE][PATCH] New fs to control access to system resources Olaf Dietsche
2002-01-15 16:53 ` Richard Gooch
2002-01-15 17:38 ` Wichert Akkerman
2002-01-15 17:54 ` Richard Gooch
2002-01-15 17:48 ` Olaf Dietsche
2002-01-16 19:05 ` Andreas Ferber
2002-01-15 22:13 ` Ben Clifford
2002-01-15 22:24 ` Measuring execution time Mark Cuss
2002-01-16 17:23 ` Chris Friesen
2002-01-16 17:53 ` Richard B. Johnson
2002-01-16 21:47 ` Jakob Østergaard
2002-01-16 17:18 ` [ANNOUNCE][PATCH] New fs to control access to system resources Olaf Dietsche
2002-01-16 18:26 ` Ben Clifford
2002-01-17 0:34 ` Olaf Dietsche
2002-01-15 22:51 ` CaT
2002-01-15 23:00 ` David Weinehall
2002-01-15 23:13 ` CaT
2002-01-16 4:19 ` dean gaudet
2002-01-16 17:18 ` Olaf Dietsche
2002-01-16 18:12 ` dean gaudet
2002-01-17 0:34 ` Olaf Dietsche
2002-01-16 18:51 ` Andreas Ferber [this message]
2002-01-16 13:38 ` gmack
2002-01-16 23:06 ` Greg KH
2002-01-17 9:26 ` Andreas Ferber
2002-01-18 19:38 ` Greg KH
2002-01-18 15:36 ` Anthony DeRobertis
2002-01-18 18:22 ` Olaf Dietsche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020116195105.C18039@devcon.net \
--to=aferber@techfak.uni-bielefeld.de \
--cc=linux-kernel@vger.kernel.org \
--cc=olaf.dietsche--list.linux-kernel@exmail.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox