From owner-freebsd-hackers  Thu Jan  2 20:43:41 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id UAA28364
          for hackers-outgoing; Thu, 2 Jan 1997 20:43:41 -0800 (PST)
Received: (from jmb@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id UAA28355;
          Thu, 2 Jan 1997 20:43:20 -0800 (PST)
From: "Jonathan M. Bresler" <jmb>
Message-Id: <199701030443.UAA28355@freefall.freebsd.org>
Subject: Re: file locking / firewalling based on uid/gid
To: avalon@coombs.anu.edu.au (Darren Reed)
Date: Thu, 2 Jan 1997 20:43:19 -0800 (PST)
Cc: proff@iq.org, hackers@FreeBSD.ORG
In-Reply-To: <199701022257.OAA10122@freefall.freebsd.org> from "Darren Reed" at Jan 3, 97 09:57:02 am
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Darren Reed wrote:
> 
> In some mail from Julian Assange, sie said:
> [...]
> > 	# ipfw add pass tcp from any to any established gid inetd
> > 	# ipfw add padd tcp from any to any 21,79 setup in gid inetd
> 
> I don't think that is a good way (or the right place) to do access control
> for TCP/IP.  Firstly, on a gateway, not all TCP packets are likely to have
> a gid (or for there to be one which is "findable") and secondly, where
> the current hooks are, you will cause two tcpb lookups to occur for the
> same packet.
> 
> I think it would be cool to be able to do:
> 
> # mknod /dev/tcp/21 c major#_for_tcp 21 
> # chgrp inetd /dev/tcp/21
> # mknod /dev/tcp/79 c major#_for_tcp 79
> # chgrp inetd /dev/tcp/79
> # mknod /dev/tcp/25 c major#_for_tcp 25
> # chown uucp.mail /dev/tcp/25
> # chmod 770 /dev/tcp/25
> (who needs sendmail to run as root now ?!)
> 
> and have open() calls on those devices create sockets.
> 
> sockfs anyone ?

	stevens and pendry called this "portals"
	4.4BSD book pages 237,8
	usenix proceedings jan '95 p1-10
http://www.usenix.org/publications/library/proceedings/neworl/full_papers/stevens.ps

	apply standard access control to the portals.
	sendmail is uid/gid "sendmail"
	chown sendmail.sendmail /p/net/tcp/localhost/25 
	chmod 600 /p/net/tcp/localhost/25
jmb