From: klavs klavsen (kl_at_vsen.dk)
Date: Thu 01 Aug 2002 - 08:42:57 BST
I have an idea about how vserver could/should be able to restrict what
is allowed to listen on a certain port, in a certain vserver context.
One should be able to define
PORTS="'named'/53tcp+udp 'listener -Idbname'/1521tcp" which would only
allow a process called named to listen on port 53tcp and udp, and a
process matching 'listener -Idbname' to listen on port 1521tcp.
Then one should be be able to define that no other process can bind any
ports, by setting f.ex.
the PORTS variable could be enhanced, to allow port-ranges (1023> and
1023><6000), checking for a certain UID/GID and even checking that the
process executable has the right SHA-1 hash value.
These measures would greatly enhance the vserver security, as a hacker
who got hold of root in your vserver would not be able to install a
common root kit for instance.
As I don't know of any programs which bind ports too often, I don't
think there should be a performance problem.
Tell me what you think of the idea, and also if you have any ideas as to
how it should be implemented (where, when and how) as I'm totally new to
kernel/vserver hacking :-)
-- Regards, Klavs Klavsen
-------------| This mail has been sent to you by: |------------ Klavs Klavsen - Open Source Consultant kl_at_vsen.dk - http://www.vsen.dk
Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA Fingerprint = A95E B57B 3CE0 9131 9D15 94DA E1CD 641E 586D 5BCA --------------------[ I believe that... ]----------------------- It is a myth that people resist change. People resist what other people make them do, not what they themselves choose to do... That's why companies that innovate successfully year after year seek their peopl's ideas, let them initiate new projects and encourage more experiments. -- Rosabeth Moss Kanter