suggestion: portfs?

Michael Driscoll (fenris@lightspeed.net)
Mon, 4 Nov 1996 20:33:13 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Michael Driscoll: "make oldconfig peeve"
Previous message: David Ngo: "Kernel oops in ethernet code"

>Seems to me it would be easy to make a simple switch statement for
>privileged ports which would allow a certain user to access a certain
>privileged port -- and only that user (even disallow root if specified) --
>that way it would be easier to set up well known services without having
>to sit there and set up suid bits, etc. for all the servers. This would
>be most useful for standalone servers such as web servers, etc.
>
>There are lots of reasons why this is useful. One is a sysadm delegating
>a certain well known service to an untrusted user. Another is sticking
>Tcl HTTPD 1.1.1 (http://www.sunlabs.com/research/tcl/webtk/tclhttpd.html)
>up without learning tcl's command to do suid and still putting it in
>place of the Apache 1.1.1 httpd that never did work since somewhere in the
>2.0.? range. I'm sure there are other applications.
>
>Anyway, somebody have a patch that already does something like that?
>I'm sure I could hack in a less elegant static solution (like
>"if(portnum=80&&uid==12345) goto ok;" or whatever the code would say).
>Wait ... hmm ... I can't find it in the kernel source. Is this a libc
>thing?

(Note that I am new to unix and so anything I say should be considered
the mad ravings of a Crazy Eddy, for anybody who gets *that* reference)

It seems that a more unixish way of doing this would be to create an
abstract fs resembling proc that had entries for the first 1024 ports,
access to those ports would be defined by the permissions on these files.
Something like /proc/port/300, or /dev/port/300, etc? Default perms would
of course be rwxrw-rw- root.root, or something like that depending on how
you defined the perms. It sounds neat, although I've no idea what impacts
this would have on anything.

It would solve certain security problems such as the need for running
httpd as root to bind to the port before suid'ing to nobody. You could
just chown www.www /dev/port/80 and run httpd as user www.
Mike
<fenris@lightspeed.net>

Next message: Michael Driscoll: "make oldconfig peeve"
Previous message: David Ngo: "Kernel oops in ethernet code"