Dan Hollis writes:
> On Sun, 20 Feb 2000, Horst von Brand wrote:
> > Binding to a low port is a capability (or should be made one, as it is
> > one of the special powers root enjoys right now).
>
> Better would be to give low ports classic unix ownerships, so that
> non-root user 'named' process can bind to e.g. udp/53, but no others.
>
> e.g. 'chown named /proc/sockets/udp/53'
This is what sockfs did that I wrote in 1997. The kernel side of the
patch was tiny and just added a function hook called when a privileged
socket was to be bound. A little pseudo-filesystem module then set that
hook and kept track of owner/permissions for each privileged socket. So
you could do
mount -t sockfs none /sockfs
ls -l /sockfs/53
and see it is "-rw------- root root" and then
chown named /sockfs/53
You could also use chgrp and chmod g+w to make a bunch of port numbers
accessible to a particular group. Unfortunately, the kernel patch was
refused (I tried a few times) so I gave up. If you're interested, see
http://users.ox.ac.uk/~mbeattie/linux-kernel.html#sockfs
--Malcolm
-- Malcolm Beattie <mbeattie@sable.ox.ac.uk> Unix Systems Programmer Oxford University Computing Services- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:27 EST