Accessfs: permission filesystem for linux

Submitted by olaf on 2002-11-07
Last modified at 2014-05-10
Tags: linux kernel

This is a new file system to manage permissions. It is not very useful on its own. You need to load other modules below.

User permission based IP ports

With this module, you will be able to control access to IP ports based on user-/groupid.

There’s no need anymore to run internet daemons as root. You can individually configure which user/program can bind to protected ports (by default, below 1024).

For example, you can say, user www is allowed to bind to port 80 or user mail is allowed to bind to port 25. Then, you can run apache as user www and sendmail as user mail. Now, you don’t have to rely on apache or sendmail giving up superuser rights to enhance security.

To use this option, you need to mount the access file system and do a chown on the appropriate ports:

mount -t accessfs none /proc/access
chown www /proc/access/net/ip/bind/80
chown mail /proc/access/net/ip/bind/25

You can grant access to a group for individual ports as well. Just say:

chgrp lp /proc/access/net/ip/bind/515
chmod g+x /proc/access/net/ip/bind/515

User permission based capabilities

With this module, you will be able to grant capabilities based on user-/groupid (root by default).

For example you can create a group raw and change the capability net_raw to this group:

chgrp raw /proc/access/capabilities/net_raw
chmod ug+x /proc/access/capabilities/net_raw
chgrp raw /sbin/ping
chmod u-s /sbin/ping; chmod g+s /sbin/ping

Warning

LD_PRELOAD is a glibc feature, which allows to override system library functions. But this means also a security hole, through which an attacker might gain unauthorized privileges. This is already prevented for SUID and SGID binaries.

Of course, GNU libc doesn’t know about accessfs and doesn’t disable LD_PRELOAD for these privileged executables. This means, you must be careful, which users and groups you grant access to ports or capabilities.

FileDateSize
accessfs-3.14-20140510.patch.gz 2014-05-10 20:37 7.5 k
accessfs-3.13-20140510.patch.gz 2014-05-10 19:20 7.5 k
accessfs-3.12-20140510.patch.gz 2014-05-10 14:50 7.5 k
accessfs-3.11-20140321.patch.gz 2014-03-21 16:01 7.5 k
accessfs-3.10-20140321.patch.gz 2014-03-21 13:35 7.5 k
accessfs-3.9-20140320.patch.gz 2014-03-20 18:09 7.5 k
accessfs-3.8-20140213.patch.gz 2014-02-13 22:53 7.5 k
accessfs-3.7-20140213.patch.gz 2014-02-13 22:29 7.4 k
accessfs-3.6-20140213.patch.gz 2014-02-13 22:21 7.5 k
accessfs-3.5-20140213.patch.gz 2014-02-13 22:20 7.5 k
accessfs-3.4-20140213.patch.gz 2014-02-13 22:20 7.5 k
accessfs-3.3-20140213.patch.gz 2014-02-13 22:19 7.5 k
accessfs-3.2-0.26.patch.gz 2012-02-03 16:00 7.1 k
accessfs-3.1-0.26.patch.gz 2012-02-03 16:00 7.1 k
accessfs-3.0-0.26.patch.gz 2012-02-03 16:00 7.1 k
accessfs-2.6.38-0.25.patch.gz 2011-04-11 22:39 7.1 k
accessfs-2.6.38-0.24.patch.gz 2011-04-10 23:45 7.1 k
accessfs-2.6.31-0.23.patch.gz 2009-10-04 18:21 7.1 k
accessfs-2.6.26-0.22.patch.gz 2008-08-10 15:34 7.0 k
accessfs-2.6.26-0.21.patch.gz 2008-08-08 22:10 7.1 k
accessfs-2.6.25-0.21.patch.gz 2008-05-12 22:51 7.0 k
accessfs-2.6.24-0.20.patch.gz 2008-02-03 22:27 7.0 k
accessfs-2.6.23-0.20.patch.gz 2007-10-26 18:03 6.8 k
accessfs-2.6.19-0.20.patch.gz 2006-12-03 15:52 6.7 k
accessfs-2.6.18-0.19.patch.gz 2006-09-22 14:21 6.7 k
accessfs-2.6.15-0.17.patch.gz 2006-01-14 22:03 6.5 k
accessfs-2.6.12-0.17.patch.gz 2005-09-01 20:39 6.6 k
accessfs-2.6.13-0.17.patch.gz 2005-09-01 20:39 6.5 k
accessfs-2.6.9-0.17.patch.gz 2004-10-24 01:06 6.6 k
accessfs-2.6.7-0.17.patch.gz 2004-07-22 14:42 6.6 k
accessfs-2.6.0-test2-0.16.patch.gz 2003-07-28 15:38 6.6 k
accessfs-2.5.72-0.15.patch.gz 2003-06-25 01:24 6.7 k
accessfs-2.5.60-0.14.patch.gz 2003-02-11 02:37 6.6 k
accessfs-2.5.54-0.14.patch.gz 2003-01-02 16:38 6.7 k
accessfs-2.5.52-0.13.patch.gz 2002-12-16 17:45 6.7 k
accessfs-2.5.51-0.12.patch.gz 2002-12-11 17:36 6.6 k
accessfs-2.5.46-0.11.patch.gz 2002-11-12 17:41 6.9 k
accessfs-2.5.46-0.10.patch.gz 2002-11-05 11:49 6.9 k