Re: sockfs - a filesystem for reserved port permissions

Malcolm Beattie (mbeattie@sable.ox.ac.uk)
Thu, 18 Sep 1997 16:15:22 +0100 (BST)


linux kernel account writes:
>
> What do you think of the future possibility of a programing using regular
> file ops on these to open network sockets etc?
>
> On Tue, 16 Sep 1997, Malcolm Beattie wrote:
>
> > Here's sockfs, a little pseudo-filesystem that lets you set the
> > owner/group/permissions for reserved ports just by using
> > chown/chgrp/chmod and ls. I wrote it a few weeks ago as an

I don't think it's really suitable for this, although I did think
about it. sockfs, since it applies only to bind(), only has to
worry about one end of the connection. Furthermore, it currently
doesn't distinguish between multiple local addresses (so you can't
set permissions such that username foo can only bind to port 666
on one IP alias and not another). That would be doable with more
effort: the kernel would need to call the hook and pass in the
address too and the filesystem would have to have another level
(/sockfs/1.2.3.4/666) and would probably have to keep track
dynamically of IP aliases: blech.

I've made it fairly easily extensible to families other than
AF_INET if they have a concept of "privileged ports" (if there
are any)--the filesystem would then look like /sockfs/inet/666.

Writing the file operations so that they do clever things like
opening connections would need extra bits of information such as
remote address passed out of band so you wouldn't really be able
to use standard user-mode tools anyway. And if you're going to
have to write/tweak user-mode tools you might as well stick with
the standard socket API and use something like netcat or an URL
library anyway.

--Malcolm

-- 
Malcolm Beattie <mbeattie@sable.ox.ac.uk>
Unix Systems Programmer
Oxford University Computing Services