Hi,
this is a new file system to control access to system resources.
Currently it controls access to inet_bind() with ports < 1024 only.
With this patch, there's no need anymore to run internet daemons as
root. You can individually configure which user/program can bind to
ports below 1024.
For example, you can say, user www is allowed to bind to port 80 or
user mail is allowed to bind to port 25. Then, you can run apache as
user www and sendmail as user mail. Now, you don't have to rely on
apache or sendmail giving up superuser rights to enhance security.
To use this, you need to mount the file system and do a chown on the
appropriate ports:
# mount -t accessfs none /mnt
# chown www /mnt/net/ipv4/bind/80
# chown mail /mnt/net/ipv4/bind/25
...
You can grant access to a group for individual ports as well. Just say:
# chgrp lp /mnt/net/ipv4/bind/515
# chown g+x /mnt/net/ipv4/bind/515
... and you're done.
This patch is against 2.4.14, but it applies with offsets to 2.4.17
and 2.5.2 as well. However, I have built and tested 2.4.14 only.
Now, I would like to here from you, whether you find this useful or
not, have any suggestions, objections ... please tell me.
Of course, comments on the code are welcome too :-).
Thanks for your time.
Regards, Olaf.
This archive was generated by hypermail 2b29 : Tue Jan 15 2002 - 21:00:51 EST