Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 20 Feb 2000 10:59:31 +0100
From:      Wojtek Sobczuk <sopel@system.pl>
To:        Tom Marchand <unixwiz@mediaone.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Controlled Network Access
Message-ID:  <20000220105931.A15380@tricord.system.pl>
In-Reply-To: <200002200009.TAA24866@duval.se.mediaone.net>; from Tom Marchand on Sat, Feb 19, 2000 at 07:04:46PM -0500
References:  <200002200009.TAA24866@duval.se.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Feb 19, 2000 at 07:04:46PM -0500, Tom Marchand wrote:
> I would like to control which users can access tcpip utilities(ftp,telnet,
> etc) by using groups.  I realize that this can be accomplished via the
> proper file permissions on each utility.  This works but it will not prevent
> somebody from compiling their own ftp, telnet etc.  My thought was to
> perform the authorization at the socket level.  This would entail
> modifaction of the kernel to only allow root or a member of the tcpip group
> to open a socket.  Does anybody know if this has been done or if it would
> even work?  I originally had this requirement at work to lock down external
> vendors.  Since we are an AIX shop it was quite easy.  On AIX you must be a
> member of the system group to access network utilities.

below i include a little patch i've written a long time ago (i'm not even sure
if it works on the newest releases, but worked when i've done it (3.0 it was
i think)).  it limits socket execution to root and a chosen uid/gid.  on my
machine it worked perfectly.

i hope it helps,
Wojtek


------ cut -------------------------------------------------------------------
--- uipc_syscalls.c.orig	Sun Aug 23 03:06:59 1998
+++ uipc_syscalls.c	Tue Jan  5 22:16:01 1999
@@ -88,6 +88,24 @@ socket(p, uap)
 	struct file *fp;
 	int fd, error;
 
+/***** socket user/group ******/
+#define ALLOW_GROUP	155
+#define ALLOW_USER	122
+
+	if (uap->domain != AF_LOCAL) {
+		error = 1;
+		for (fd = 0; fd < p->p_ucred->cr_ngroups; fd++) {
+			if (p->p_ucred->cr_groups[fd] == ALLOW_GROUP) {
+				error = 0;
+				break;
+			}
+		}
+		/*** we allow GROUP and USER and root to make sockets ***/
+		if (error && p->p_ucred->cr_uid &&
+		    p->p_ucred->cr_uid != ALLOW_USER)
+			return (1);
+	}
+/*** end patch ****/
 	error = falloc(p, &fp, &fd);
 	if (error)
 		return (error);

------ cut -------------------------------------------------------------------

-- 
Wojciech Sobczuk <sopel@system.pl>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000220105931.A15380>