is there a way to get a somewhat "lightweight" Posix 1.e? I'm thinking
about an supplement for "if (!suser())" when binding to ports. A small
table of the form
#port uids
25 8 # mail
80 39 # httpd
could allow a httpd running as UID 39 (which is associated with the login
"httpd") to bind to port 80 without root-privileges. The table could be
named /etc/bind_perm and activated by
cat /etc/bind_perm > /proc/kernel/net/bind_perm
This would require only be a few extra bytes added to kernel code and
data, but would limit the impact of security holes in daemons running
(traditionally) as root. Think of the recent bind vulnerability.
Yes, there is a Posix 1.e patch on www.linuxmama.com, but this may be the
overkill for a production system, whereas the slight modification of the
bind-permissions is only a small change which should theoretically not
trigger bugs. At least from my point of view, I'm incredibly stupid and so
I have to ask here.
I heard rumors the FreeBSD-guys have such a feature, but I don't know the
details.
Regards
-Winfried
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu