Date: Tue, 21 Aug 2001 10:30:09 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: Mikhail Teterin <mi@aldan.algebra.com> Cc: roam@ringlet.net, jeh@FreeBSD.org, sobomax@FreeBSD.org, cjclark@alum.mit.edu, dwmalone@maths.tcd.ie, alex@big.endian.de, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <Pine.NEB.3.96L.1010821102552.56052B-100000@fledge.watson.org> In-Reply-To: <200108211221.f7LCLPq22354@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 21 Aug 2001, Mikhail Teterin wrote: > On 21 Aug, Peter Pentchev wrote: > > > Still, this would be a good temporary workaround until a more > > elaborate scheme, like the one described by Robert Watson in another > > message in this thread, is deployed; but, as Robert says, a more > > elaborate scheme might lower performance.. > > Can we control the ports just like we control devices? With file > permissions? Then the admin will be able to use chown/chmod to grant > permissions to particular ports: > > chmod g+rw /net/udp6/talk > > for example... The will require a portfs or some such, of course. I was also interested in something like that, and had some initial prototyping of that also. When I saw DES import his 'pseudofs' I had hoped that would be a good vehicle to support such as synthetic file system, but it turns out the overhead of maintaining many nodes is very high. What we want is a file system that has minimal overhead for the ports/etc when they're not actively represented by vnodes, since potentially there would be hundreds of thousands of virtual files in such a tree representing various ports. Also, in the above you'd probably simply want udp6/517, as the name->port and port->name mappings as maintained in userland rather than the kernel. Another advantage to selecting the interface you've suggested above is that it allows additional management tools for other types of protections to be used, such as ACLs, MAC labels, etc. One of the downsides of the representation above is that it can't represent rules like: "can bind port 'talk' on IP 127.0.0.1", or "can bind port 'http' on IP 192.168.11.1". Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010821102552.56052B-100000>