- you could restrict a port to a specific uid (i.e. tcp 113 can be opened
by news and root only)
- you could restrict the range used to generate the "random" port of a
listening socket with unspecified port (i.e. > 1023, not in 6000..6099)
Does POSIX.6 define this sort of thing too? Any sample source out there?
Dean
On Mon, 9 Jun 1997, Chris Evans wrote:
>
> Hi,
>
> I think POSIX.6 security would be a great thing to have in Linux 2.2.
> Surely a POSIX.6 implementation (or one based on its ideas) is not too
> much hassle. In fact with finals concluding soon I may attempt it myself
> :)
>
> However -- I know someone was hacking at POSIX.6 a while back, D. Moffat
> was it? There was even a preliminary patch. Is work still ongoing? Anyone
> got an offical spec. sheet for the thing?
>
> I ask because I have the number of suid binaries on my system down to a
> very low number, and the following remaining are just begging for a subset
> of root privs:
>
> ping, traceroute: priv = open raw socket
> ssh,rlogin,rcp,r<etc> priv = open socket num < 1024
>
> Other useful privilege subsets would of course be read any file, tty
> chowning/chmoding, etc.
>
> Cheers,
> Chris
>
>