From: edwin@gurde.com
To: Bodo Eggert <7eggert@gmx.de>
Cc: linux-kernel@vger.kernel.org, fireflier-devel@lists.sourceforge.net
Subject: Re: [RFC] packet/socket owner match (fireflier) using skfilter
Date: Sat, 8 Apr 2006 10:50:50 +0300 [thread overview]
Message-ID: <20060408075050.GB5797@gurde.com> (raw)
In-Reply-To: <Pine.LNX.4.58.0604072149110.2496@be1.lrz>
On Fri, Apr 07, 2006 at 10:06:45PM +0200, Bodo Eggert wrote:
> On Fri, 7 Apr 2006 edwin@gurde.com wrote:
>
> If apache is running a CGI script, it must pass the socket (bound to
> remote:port,local:80, to the CGI at fd 2*. If your firewall is blocking
> this, your CGI scripts will stop working.
Hmm, an exception could be made for programs like apache.
The user would then create a rule that says that apache is allowed to pass on
file descriptors.
Or a rule could be created for the userspace part of fireflier that would auto-add the cgi-scripts
to apache's group sid. Which IMHO would be the best, because the user will still have control on
what programs have access to the network. He can see that list at any time, and modify it, if not correct.
If we would simply allow file descriptors to be passed on, he wouldn't have that control.
(none of this is implemented yet)
> > running a program via NFS, and giving access for it to the network? why
> > would I want that?
>
> Why not? E.g. you could set up a farm of redundand apache servers.
Ok, so the userspace part of fireflier will have to deal with nfs mounts as a special case.
It should store the rules in "server,path,executable hash" format, and do the inode lookup on startup,
or when the first packet arrives.
> > Aren't inodes stored on the disk?
>
> At least Mostly, but is this a requirement?
Currently it is, until we implement path+hash rules for nfs mounts,etc.
What devices can I safely assume that the inodes won't change over boots/mounts?
Cheers,
Edwin
next prev parent reply other threads:[~2006-04-08 7:51 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5X7nH-7n6-7@gated-at.bofh.it>
2006-04-06 12:21 ` [RFC] packet/socket owner match (fireflier) using skfilter Bodo Eggert
2006-04-07 18:58 ` edwin
2006-04-07 20:06 ` Bodo Eggert
2006-04-08 7:50 ` edwin [this message]
2006-04-02 9:40 Török Edwin
2006-04-03 15:18 ` James Morris
2006-04-03 15:39 ` Török Edwin
2006-04-05 15:06 ` Stephen Smalley
2006-04-07 17:34 ` Török Edwin
2006-04-21 15:26 ` Mikado
2006-04-21 16:18 ` Török Edwin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060408075050.GB5797@gurde.com \
--to=edwin@gurde.com \
--cc=7eggert@gmx.de \
--cc=fireflier-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).