Subject: Re: new sysctl - privilaged ports runtime option?
To: None <itojun@iijlab.net>
From: Andrew Brown <atatat@atatdot.net>
List: tech-kern
Date: 08/12/2002 09:28:11
>>what you can do though is remove the restriction on the ports, then use 
>>systrace to restrict them.  this gives you the ablility to have sendmail, 
>>etc. running as an unpriv user, but still allowed to bind to the proper 
>>port(s).
>
>	systrace can enforce policy for certain program (by
>	/etc/systrace/usr_bin_finger and such), not all programs.

it can "enforce" policy, but not relax policy.  systrace is useful for
disallowing programs from making arbitrary system calls based on the
arguments, etc, but it cannot ultimately allow a program to make a
system call that the kernel disallows.  eg, a non-root process
attempting to bind to a "privileged" port.  :(

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."