From owner-freebsd-security  Wed Jul  1 22:29:32 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA04831
          for freebsd-security-outgoing; Wed, 1 Jul 1998 22:29:32 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA04811
          for <security@FreeBSD.ORG>; Wed, 1 Jul 1998 22:29:28 -0700 (PDT)
          (envelope-from easmith@beatrice.rutgers.edu)
Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id BAA19414; Thu, 2 Jul 1998 01:26:22 -0400 (EDT)
From: "Allen Smith" <easmith@beatrice.rutgers.edu>
Message-Id: <9807020126.ZM19413@beatrice.rutgers.edu>
Date: Thu, 2 Jul 1998 01:26:21 -0400
In-Reply-To: Darren Reed <avalon@coombs.anu.edu.au>  "Re: bsd securelevel patch question" (Jul  1, 11:34pm)
References: <01IYVQYVEO5E00BUWA@AESOP.RUTGERS.EDU>
X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail)
To: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: bsd securelevel patch question
Cc: dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net,
        abc@ralph.ml.org, tqbf@secnet.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jul 1, 11:34pm, Darren Reed (possibly) wrote:
> well, I dug it up, and it's not really pretty, but it does prove it is
> possible.  the way I set it up to work was to read in the directory
> structure prior to mount_portal taking it over and then use the file
> perms in that for access control.
> 
> this was just an experiment.
> 
> a better way to do it is to have a separate configuration file for the
> perms. so that you can edit those whilst mount_portal is still running.
> I thought I'd had a go at that, but I don't see the code anywhere just
> now so I'll assume it's not going to be easily found.
>
> http://coombs.anu.edu.au/~avalon/mount_portal.tgz

I don't have any way of getting to that currently; could you put that
on an ftp-accessible spot? There's no link to that from the
http://coombs.anu.edu.au/~avalon/ page.

Does this require that programs access these ports via the portal
filesystem itself, or is it simply determining permissions this way?
If the former, then that's going to cause the same sort of problems
with porting - including porting security-critical applications - that
I was mentioning earlier. If the latter, that makes it more
interesting... although probably still requiring some alterations to
the group permissions system to make it work right with setuid
programs, as I was pointing out previously.

	-Allen

-- 
Allen Smith				easmith@beatrice.rutgers.edu
	

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message