On Sat, Jan 30, 1999 at 02:03:07PM +1300, Chris Wedgwood wrote:
> On Fri, Jan 29, 1999 at 01:19:59PM -0800, Shane Wegner wrote:
>=20
> > I've encountered this problem with a patch under the 2.0.36 kernel.=20
> > I have used this patch under 2.0.33-2.0.35 without any problem but
> > recently it has been flakey.
>=20
> > + /* The low and high bytes of the port must be swaped inorder to work =
*/
> > + if ( (current->uid >=3D 1000) && (current->sgid !=3D 103)
> > + && ((ntohl(sin->sin_addr.s_addr) & 0xFFFFFF00) !=3D (127 << 24))
> > + && (sin->sin_port !=3D htons(43)) /* whois */
> > + && (sin->sin_port !=3D htons(53)) /* dns */
> > + && (sin->sin_port !=3D htons(70)) /* gofer */
> > + && (sin->sin_port !=3D htons(79)) /* finger */
> > + && (sin->sin_port !=3D htons(80)) /* http */
> > + && (sin->sin_port !=3D htons(113)) /* ident */
> > + && (sin->sin_port !=3D htons(443)) /* https */
> > + && (sin->sin_port !=3D htons(517)) /* talk */
> > + && (sin->sin_port !=3D htons(518)) ) /* ntalk */
> > + for (i =3D 0;i < NGROUPS;i++)
> > + {
> > + if (current->groups[i] =3D=3D 103)
> > + allow_connect =3D 1;
>=20
> [...]
>=20
> Oo... yuck. No offense intended, in 2.0.x you don't have many
> options. You might want to look at 2.2.x -- it have `capabilites'
> that you can give to processes. This would allow you to hack login
> (or whatever) to give certain processes the ability to bind to ports
> < 1024....
>=20
Hi,
As far as I know 2.2.0 doesn't have the ability to do what I need it to.
The idea behind that patch was to restrict all outbound connections to
users with a uid < 1000 or in group 103 except to certain ports. The fact
that it works for a while indicates the patch is sound but I am by no
means a kernel hacker so I don't know why it would stop working after a
day or two of uptime.
Furthermore, I wrote a little program that makes a test connection to a
remote site and executed it as a user which was not in group 103 and it
went through but when I put it into the user's crontab, it failed as it
should. So it's only succeeding when the user is logged in.
--=20
Shane Wegner: shane@cm.nu
Tel: (604) 930-0530
Sysadmin, Continuum Systems: http://www.cm.nu
Personal website: http://www.cm.nu/~shane
PGP: keyid: 2048/F5C2BD91
Fingerprint: 8C 48 B9 D8 53 BB D8 EF
76 BB DB A2 1C 0D 1D 87
--82I3+IH0IqGh5yIs
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: mxTz++enhkXL9pVIODz9GXu5B3b5yGmR
iQEVAwUBNrTIPnernFT1wr2RAQE3lggAnll9fcvAeTRDgkhtpLijhTj1Pfb0g/10
0Zh7ltxqWV9IsF9q8zJaRSxKnQthFQZJkGKGrGkOdw2sZPt5dV5mWrNcTKqEOpX9
7UIrY0RPU9/XBhfOaouQYiDJ6Hmetl8tZZPegEYSvcBHBcNttbRMkq3dd4xk9RVV
+/17CuK4LdTciAZG1B4uIvGLujBFiDewsdNyPZDaJEhlYdTmYgxMVkfQGttbUgZP
HL9A+rhDgkOoWvDW+rkw4Qbitx20SkUa+FySEbuFDQkbv19aYTErkpVcJQ1nqVQZ
iMZgxLiC+/QcbjNH7Au+ert/H9ICKPRA4CI1pGsiL4fZ7b87P/y1sQ==
=WJ//
-----END PGP SIGNATURE-----
--82I3+IH0IqGh5yIs--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/