Re: [ANNOUNCE][PATCH] New fs to control access to system resources
Richard Gooch (rgooch@ras.ucalgary.ca)
Tue, 15 Jan 2002 09:53:47 -0700
Olaf Dietsche writes:
> --=-=-=
>
> Hi,
>
> this is a new file system to control access to system resources.
> Currently it controls access to inet_bind() with ports < 1024 only.
>
> With this patch, there's no need anymore to run internet daemons as
> root. You can individually configure which user/program can bind to
> ports below 1024.
>
> For example, you can say, user www is allowed to bind to port 80 or
> user mail is allowed to bind to port 25. Then, you can run apache as
> user www and sendmail as user mail. Now, you don't have to rely on
> apache or sendmail giving up superuser rights to enhance security.
>
> To use this, you need to mount the file system and do a chown on the
> appropriate ports:
>
> # mount -t accessfs none /mnt
> # chown www /mnt/net/ipv4/bind/80
> # chown mail /mnt/net/ipv4/bind/25
Having to set the permissions like this on each boot seems a bit
painful. Why not have permissions persistence like devfs has?
Regards,
Richard....
Permanent: rgooch@atnf.csiro.au
Current: rgooch@ras.ucalgary.ca
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/