On Tue, 16 Sep 1997, Malcolm Beattie wrote:
> Here's sockfs, a little pseudo-filesystem that lets you set the
> owner/group/permissions for reserved ports just by using
> chown/chgrp/chmod and ls. I wrote it a few weeks ago as an
> exercise to see how modular filesystems worked and because it
> struck me as being the "right" way to do reserved port permission
> checking. I see that there are some other suggested solutions now
> so I thought I ought to polish this up and release it.
>
> The only patch necessary to the kernel itself is a tiny one which
> (1) creates an exported function pointer
> int (*prot_sock_ok)(unsigned int family, unsigned int port)
> (2) changes the test in af_inet.c to add:
> + if (prot_sock_ok)
> + return prot_sock_ok(AF_INET, snum);
> if (snum < PROT_SOCK && !suser())
> return(-EACCES);
>
> The sockfs filesystem is modular, can be built away from the
> kernel and lets you do
> # mount -t sockfs sockfs /sockfs
> after which /sockfs/1, /sockfs/2, ... show up as 700 root-owned
> zero-length files just as pid files do under /proc. You can then
> use standard tools chown/chgrp/chmod on them: when a process
> attempts to bind a reserved port, the kernel (via the prot_sock_ok
> function which the filesystem module sets) checks whether the
> process has write permission to the relevant file in /sockfs.
>
> Since the whole thing is only 8K when the .tar.gz is uuencoded,
> I thought I might as well include it here. Full instructions are
> in the included README. The patch and filesystem were written for
> a 2.0.29 kernel but I'd be very surprised if it didn't work OK for
> pretty much any 2.0.x. There's nothing fancy about it.
> Please let me know what you think.
>