Hi,
On Thu, Mar 17, 2005 at 08:46:51AM +0200, Tommi Virtanen wrote:
> There's a simple reason why that's not really what you want.
>
> Imagine two security-sensitive services, with different sets of
> allowed users. Using UNIX domain sockets with filesystem access
> control allows using two groups to list the allowed users for each
> service -- using <1024 source port does not.
It does.
The frontend (that would acquire the privileged socket) would need
to be setuid root for this and then could enforce whatever policies,
much more flexible than the Unix group membership model if you want.
Best regards,
--
Kurt Garloff <kurt@xxxxxxxxxx> [Koeln, DE]
Physics:Plasma modeling <garloff@xxxxxxxxxxxxxxxxxxx> [TU Eindhoven, NL]
Linux: SUSE Labs (Director) <garloff@xxxxxxx> [Novell Inc]
pgpChemo8uoOJ.pgp
Description: PGP signature
|