Re: Got root?
On Tue, May 01, 2001 at 10:11:45AM +0000, Adam Olsen wrote:
>
> On Tue, May 01, 2001 at 05:48:54AM -0400, Andres Salomon wrote:
> > Perhaps I'm misunderstanding your proposition, but how is this different
> > than, say, having inetd listen on ports below 1024, and then
> > forking/changing to a different user once a connection is made to the port?
> >
>
> To use inetd, a new process is spawned for each connection, and the
> daemon has to be written to use identd. With his, it's just like
> opening on a port above 1024.
I didn't realize this was significant in what was being proposed..
>
> Although my personal opinion is that it should be controled via
> user/group, not binary. eg, your webserver user can open port 80.
>
Sort of like sudo, only w/ capabilities? I see nothing wrong w/ that,
although I don't see why it must be done in the kernel..
> >
> >
> > On Sun, Apr 29, 2001 at 07:19:06AM -0400, Sunny Dubey wrote:
> > <snip>
> > >
> > > It would be like having a file called /etc/acl.ports (or something) and
> > > within the file, would be a list which binaries are allowed to bind to what
> > > ports. (an example is provided below)
> > >
> > > # /etc/acl.ports
> > > # Port Numbers binary
> > > 80 /usr/local/apache/bin/httpd
> > > 22 /usr/local/openssh/sshd
> > > 21 /usr/local/anonftpd/ftpd
>
> --
> Adam Olsen, aka Rhamphoryncus
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
"... being a Linux user is sort of like living in a house inhabited
by a large family of carpenters and architects. Every morning when
you wake up, the house is a little different. Maybe there is a new
turret, or some walls have moved. Or perhaps someone has temporarily
removed the floor under your bed." - Unix for Dummies, 2nd Edition
-- found in the .sig of Rob Riggs, rriggs@tesser.com
Reply to: