From owner-freebsd-security Sun Feb 20 1:59:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from tricord.system.pl (tricord.system.pl [195.205.185.10]) by hub.freebsd.org (Postfix) with ESMTP id 35D7B37BC7B for ; Sun, 20 Feb 2000 01:59:44 -0800 (PST) (envelope-from sopel@tricord.system.pl) Received: (from sopel@localhost) by tricord.system.pl (SYSTEM Internet) id KAA15474; Sun, 20 Feb 2000 10:59:31 +0100 (MET) Date: Sun, 20 Feb 2000 10:59:31 +0100 From: Wojtek Sobczuk To: Tom Marchand Cc: freebsd-security@freebsd.org Subject: Re: Controlled Network Access Message-ID: <20000220105931.A15380@tricord.system.pl> References: <200002200009.TAA24866@duval.se.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <200002200009.TAA24866@duval.se.mediaone.net>; from Tom Marchand on Sat, Feb 19, 2000 at 07:04:46PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Feb 19, 2000 at 07:04:46PM -0500, Tom Marchand wrote: > I would like to control which users can access tcpip utilities(ftp,telnet, > etc) by using groups. I realize that this can be accomplished via the > proper file permissions on each utility. This works but it will not prevent > somebody from compiling their own ftp, telnet etc. My thought was to > perform the authorization at the socket level. This would entail > modifaction of the kernel to only allow root or a member of the tcpip group > to open a socket. Does anybody know if this has been done or if it would > even work? I originally had this requirement at work to lock down external > vendors. Since we are an AIX shop it was quite easy. On AIX you must be a > member of the system group to access network utilities. below i include a little patch i've written a long time ago (i'm not even sure if it works on the newest releases, but worked when i've done it (3.0 it was i think)). it limits socket execution to root and a chosen uid/gid. on my machine it worked perfectly. i hope it helps, Wojtek ------ cut ------------------------------------------------------------------- --- uipc_syscalls.c.orig Sun Aug 23 03:06:59 1998 +++ uipc_syscalls.c Tue Jan 5 22:16:01 1999 @@ -88,6 +88,24 @@ socket(p, uap) struct file *fp; int fd, error; +/***** socket user/group ******/ +#define ALLOW_GROUP 155 +#define ALLOW_USER 122 + + if (uap->domain != AF_LOCAL) { + error = 1; + for (fd = 0; fd < p->p_ucred->cr_ngroups; fd++) { + if (p->p_ucred->cr_groups[fd] == ALLOW_GROUP) { + error = 0; + break; + } + } + /*** we allow GROUP and USER and root to make sockets ***/ + if (error && p->p_ucred->cr_uid && + p->p_ucred->cr_uid != ALLOW_USER) + return (1); + } +/*** end patch ****/ error = falloc(p, &fp, &fd); if (error) return (error); ------ cut ------------------------------------------------------------------- -- Wojciech Sobczuk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message