Accessfs: permission filesystem for linux

This is a new file system to manage permissions. It is not very useful on its own. You need to load other modules below.

User permission based IP ports

With this module, you will be able to control access to IP ports based on user-/groupid.

There's no need anymore to run internet daemons as root. You can individually configure which user/program can bind to protected ports (by default, below 1024).

For example, you can say, user www is allowed to bind to port 80 or user mail is allowed to bind to port 25. Then, you can run apache as user www and sendmail as user mail. Now, you don't have to rely on apache or sendmail giving up superuser rights to enhance security.

To use this option, you need to mount the access file system and do a chown on the appropriate ports:

# mount -t accessfs none /proc/access
# chown www /proc/access/net/ip/bind/80
# chown mail /proc/access/net/ip/bind/25
You can grant access to a group for individual ports as well. Just say:
# chgrp lp /proc/access/net/ip/bind/515
# chmod g+x /proc/access/net/ip/bind/515

User permission based capabilities

With this module, you will be able to grant capabilities based on user-/groupid (root by default).

For example you can create a group raw and change the capability net_raw to this group:

# chgrp raw /proc/access/capabilities/net_raw
# chmod ug+x /proc/access/capabilities/net_raw
# chgrp raw /sbin/ping
# chmod u-s /sbin/ping; chmod g+s /sbin/ping

Warning

LD_PRELOAD is a glibc feature, which allows to override system library functions. But this means also a security hole, through which an attacker might gain unauthorized privileges. This is already prevented for SUID and SGID binaries.

Of course, GNU libc doesn't know about accessfs and doesn't disable LD_PRELOAD for these privileged executables. This means, you must be careful, which users and groups you grant access to ports or capabilities.

Download

NameLast modifiedSizeDescription
[DIR]
Parent Directory 
07-Nov-2002 15:15
-
[ ]
accessfs-2.6.31-0.23.patch.gz 
04-Oct-2009 18:21
7k
[ ]
accessfs-2.6.26-0.22.patch.gz 
10-Aug-2008 15:34
7k
[ ]
accessfs-2.6.26-0.21.patch.gz 
08-Aug-2008 22:10
7k
[ ]
accessfs-2.6.25-0.21.patch.gz 
12-May-2008 22:51
7k
[ ]
accessfs-2.6.24-0.20.patch.gz 
03-Feb-2008 22:27
7k
[ ]
accessfs-2.6.23-0.20.patch.gz 
26-Oct-2007 18:03
7k
[ ]
accessfs-2.6.19-0.20.patch.gz 
03-Dec-2006 15:52
7k
[ ]
accessfs-2.6.18-0.19.patch.gz 
22-Sep-2006 14:21
7k
[ ]
accessfs-2.6.15-0.17.patch.gz 
14-Jan-2006 22:03
7k
[ ]
accessfs-2.6.13-0.17.patch.gz 
01-Sep-2005 20:39
7k
[ ]
accessfs-2.6.12-0.17.patch.gz 
01-Sep-2005 20:39
7k
[ ]
accessfs-2.6.9-0.17.patch.gz 
24-Oct-2004 01:06
7k
[ ]
accessfs-2.6.7-0.17.patch.gz 
22-Jul-2004 14:42
7k
[ ]
accessfs-2.6.0-test2-0.16.patch.gz 
28-Jul-2003 15:38
7k
[ ]
accessfs-2.5.72-0.15.patch.gz 
25-Jun-2003 01:24
7k
[ ]
accessfs-2.5.60-0.14.patch.gz 
11-Feb-2003 02:37
7k
[ ]
accessfs-2.5.54-0.14.patch.gz 
02-Jan-2003 16:38
7k
[ ]
accessfs-2.5.52-0.13.patch.gz 
16-Dec-2002 17:45
7k
[ ]
accessfs-2.5.51-0.12.patch.gz 
11-Dec-2002 17:36
7k
[ ]
accessfs-2.5.46-0.11.patch.gz 
12-Nov-2002 17:41
7k
[ ]
accessfs-2.5.46-0.10.patch.gz 
05-Nov-2002 11:49
7k
Valid HTML 4.01! Olaf Dietsche
Last modified: Sun Oct 4 18:21:31 CEST 2009