diff -urN linux-2.4.19-pre5-hidden-fixed-pspa/include/linux/sysctl.h linux-2.4.19-pre5-hidden-fixed-pspa-fixed/include/linux/sysctl.h --- linux-2.4.19-pre5-hidden-fixed-pspa/include/linux/sysctl.h Sun Mar 31 17:21:02 2002 +++ linux-2.4.19-pre5-hidden-fixed-pspa-fixed/include/linux/sysctl.h Sun Mar 31 17:22:34 2002 @@ -291,7 +291,10 @@ NET_IPV4_NONLOCAL_BIND=88, NET_IPV4_ICMP_RATELIMIT=89, NET_IPV4_ICMP_RATEMASK=90, - NET_TCP_TW_REUSE=91 + NET_TCP_TW_REUSE=91, + NET_IP_PORT_ACL_GID=92, + NET_IP_SOCK_RAW_GID=93, + NET_IP_SOCK_PACKET_GID=94 }; enum { diff -urN linux-2.4.19-pre5-hidden-fixed-pspa/net/ipv4/sysctl_net_ipv4.c linux-2.4.19-pre5-hidden-fixed-pspa-fixed/net/ipv4/sysctl_net_ipv4.c --- linux-2.4.19-pre5-hidden-fixed-pspa/net/ipv4/sysctl_net_ipv4.c Sun Mar 31 17:21:02 2002 +++ linux-2.4.19-pre5-hidden-fixed-pspa-fixed/net/ipv4/sysctl_net_ipv4.c Sun Mar 31 17:24:47 2002 @@ -229,6 +229,14 @@ &sysctl_icmp_ratemask, sizeof(int), 0644, NULL, &proc_dointvec}, {NET_TCP_TW_REUSE, "tcp_tw_reuse", &sysctl_tcp_tw_reuse, sizeof(int), 0644, NULL, &proc_dointvec}, +#ifdef CONFIG_PORT_ACLS + {NET_IP_PORT_ACL_GID, "ip_port_acl_gid", + &sysctl_port_acl_gid, sizeof(int), 0644, NULL, &proc_dointvec}, +#endif +#ifdef CONFIG_SOCK_RAW_GROUP + {NET_IP_SOCK_RAW_GID, "ip_sock_raw_gid", + &sysctl_sock_raw_gid, sizeof(int), 0644, NULL, &proc_dointvec}, +#endif {0} }; --- ./Documentation/Configure.help-no-pspa Sat Apr 27 22:19:58 2002 +++ ./Documentation/Configure.help Sat Apr 27 22:23:14 2002 @@ -20860,6 +20860,74 @@ including the model, CPU, MMU, clock speed, BogoMIPS rating, and memory size. +IP: port/socket pseudo ACLs +CONFIG_PSEUDO_ACLS + If you say yes here, config will ask a few more questions about port + and socket ACLs. + +IP: port pseudo ACLs +CONFIG_PORT_ACLS + This simple hack allows root to delegate the ability to bind to + a reserved port (port < 1024) to non-privileged users, much like + CAP_NET_BIND_SERVICE; however, it allows much finer access control + than the capability. By setgid-ing any binary owned by the gid + specified in /proc/sys/net/ipv[46]/port_acl_gid, non-root users will + be able to use that binary to bind to the tcp or udp port equal to + their system uid. + + For instance, perhaps one would like to run snmpd as non-privileged + user "snmp," simply: + + Say yes here and compile a new kernel, then reboot into it. + Create a user "snmp" in /etc/passwd with a uid of 161. + Create a group "portacl" with an unused gid, $gid here. + # echo $gid > /proc/sys/net/ipv4/ip_port_acl_gid + # chown root.$gid /usr/sbin/snmpd + # chmod 2755 /usr/sbin/snmpd + # su - snmp -c /usr/sbin/snmpd -r + + You will most likely need to tweak the snmpd configs a bit, too. + + For more info, check http://original.killa.net/infosec/acls/index.html + +IP: Raw socket group +CONFIG_SOCK_RAW_GROUP + Say yes here if you wish to give a special group access to raw sockets. + Any raw-socket-needing binary setgid this group will not require root + access to do its duty. This may mitigate any as yet unknown exploits + for a class of setuid zero networking applications, such as ping, + traceroute or mtr. + + SOCK_RAW sockets work at the IP level, layer 3 (Network) in the + OSI model. + + You will need to setgid any binaries needing raw sockets to a new gid, + and specify that gid in /proc/sys/net/ipv[46]/ip_sock_raw_gid for it to + take effect. + + For more info, check http://original.killa.net/infosec/acls/index.html + +IP: Packet socket group +CONFIG_SOCK_PACKET_GROUP + This option allows you to split off packet socket privileges to a + seperate group. Unlike CAP_NET_RAW, you will have finer control over + which binaries will get SOCK_PACKET privs and which get SOCK_RAW privs. + + SOCK_PACKET sockets work at the device driver level, layer 2 (data link) + in the OSI model. As such, it is a lower level interface than SOCK_RAW. + The most common binaries that require packet socket access are those + which use the functionality of libpcap (e.g. tcpdump). + + You will need to setgid any binaries needing packet sockets to a new + gid, and specify that gid in /proc/sys/net/sock_packet_gid for it to + take effect. + + NOTE: I recommend you say yes, unless you have a (weird) application + that needs both raw and packet sockets. This will protect you from + any ping/traceroute exploits leading to a sniffer attack. + + For more info, check http://original.killa.net/infosec/acls/index.html + Bluetooth subsystem support CONFIG_BLUEZ Bluetooth is low-cost, low-power, short-range wireless technology.