From owner-freebsd-security  Wed Jun 21  0:20:13 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ints.ru (ints.ru [194.67.173.1])
	by hub.freebsd.org (Postfix) with ESMTP id D2B4837BC09
	for <freebsd-security@FreeBSD.ORG>; Wed, 21 Jun 2000 00:19:59 -0700 (PDT)
	(envelope-from ilmar@ints.ru)
Received: (from uucp@localhost)
	by ints.ru (8.9.2/8.9.2) id LAA10757;
	Wed, 21 Jun 2000 11:19:54 +0400 (MSD)
Received: from ws-ilmar.ints.ru(194.67.173.16)
 via SMTP by ints.ru, id smtpdy10755; Wed Jun 21 11:19:48 2000
Date: Wed, 21 Jun 2000 11:19:48 +0400 (MSD)
From: "Ilmar S. Habibulin" <ilmar@ints.ru>
To: James Howard <howardjp@wam.umd.edu>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Network ACLs 
In-Reply-To: <200006210104.VAA07282@rac6.wam.umd.edu>
Message-ID: <Pine.BSF.4.21.0006211112560.32349-100000@ws-ilmar.ints.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 20 Jun 2000, James Howard wrote:

> I want to be able to create a group called "inet" and anyone who is a
> member of that group may open connections.  However, they may not
> listen.  Root can do anything he/she wants.  Nobody else can do anything.
Well, then you need a posix capabilities plus file ACLs of TrusdedBSD. If
you are interested in TrustedBSD features. But they are not fully
implemented right now.
To solve you problem you can use advices to use ipfw uid/gid filtering
option, because TrustedBSD is far from being finished.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message