Casper.Dik at Sun.COM wrote:
>
>> But it makes the description of NET_ACCESS much more complicated; not
>> only do we have PRIV_NET_RAWACCESS but also PRIV_NET_ICMPACCESS.
>
> I'm not sure that this more complicated by any stretch of imagination.
>
> + PRIV_NET_ACCESS
> + Allows a process to open an unprivileged network connection.
You're kidding, right? You have a circular definition with a negation in
it. Hence self-conflicting. For example.
Since one requires PRIV_NET_ACCESS to open a TCP socket, that makes a
TCP socket a privileged network connection. Hence by the above
description a TCP socket doesn't require PRIV_NET_ACCESS.
>> If we uniformly apply NET_ACCESS for all IP based transports then there
>> is a single privilege that needs to be removed to ensure that IP
>> networking can not be used.
>
> Requiring multiple privileges for a specific operation runs against the
> grain of the Solaris privilege implementation.
It is just about "implementation", or something more fundamental?
It sounded from the case that you wanted to provide a single privileged
that could be removed to prevent opening any INET/INET6 socket. But you
are not providing that since the user would also have to make sure
PRIV_NET_*ACCESS is removed.
If we really can't have an umbrella PRIV_NET_ACCESS apply to all INET*
endpoints, then it would make more sense to introduce finder grain ones
like PRIV_NET_{TCP,UDP,SCTP}ACCESS which follows the pattern of the RAW
and ICMP ones.
Erik
