Re: Proposal to automatically make the owner/user of an accepted socket the current process

[mlelstv%serpens.de@localhost (Michael van Elst)]

gdt%lexort.com@localhost (Greg Troxel) writes:

>It may be that the firewall rules should be based on the process's
>uid/gid, and that the concept of sockets having owners is just a red herring.

Even filtering packets on some guessed uid/gid value is questionable
as processes don't send or receive packets. They do system calls
on socket descriptors.

You could add some filter to sockets and control addresses used by
bind(), connect() and sendto/sendmsg/sendmmsg() syscalls for each user.
The "privileged ports" that are restricted to root are then just a
special case.