Date: Wed, 1 May 2002 22:18:40 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Dag-Erling Smorgrav <des@ofug.org> Cc: arch@freebsd.org Subject: Re: deperlifying sockstat(1) Message-ID: <Pine.NEB.3.96L.1020501221605.21461B-100000@fledge.watson.org> In-Reply-To: <xzp8z73pjh6.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2 May 2002, Dag-Erling Smorgrav wrote: > I'm working on a C version of sockstat(1), and to complete it I need to > do nasty stuff like using libkvm and defining _KERNEL before including > some headers (see fstat). I'm starting to think that it would be easier > to just make a kern.sockstat sysctl node, and make sockstat(1) a > #!/bin/sh wrapper around sysctl(8). Ideas? I'd love it if neither netstat nor sockstat required privilege to run, and could extract it all from sysctl. If you do that, make sure you call appropriate socket visibility hooks in the sysctl export so that it DTRT for jail, MAC, etc. Eliminating setgid kmem even more will continue to markedly improve the security of FreeBSD 5.0... I tweaked a couple out, and Thomas Moestl did a large chunk of the remainder, but there are still some that are left. In particular fixing systat would be highly desirable, as it does a fair amount of I/O. BTW, your wrapper for the sysctl might have to be a C wrapper so it has easier access to getpw*() and getgr*() in a NIS-happy way. My recollection was that sockstat relied on the results of database lookups to generate nicer output, and it would be a shame to lose that. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020501221605.21461B-100000>