--0F1p//8PRICkK4MW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi joe,

On Wed, Sep 25, 2002 at 03:26:51PM -0400, Joe Reed wrote:
>=20
> i've been working on a utility to allow unprivilaged users to bind to
> privilaged ports on a per user/group basis.  the rules are similiar to
> ipf rules and allow for daemons to be run as unprivilaged users, but
> still bind to the proper port (without losing any restriction for any
> other user), with a specific protocol.  these rules only work for
> ports less than the reserved port.  and superuser is always allowed to
> bind, regardless of rules.
>=20
> the ports that have rules are stored in a linked list, with their
> rules in a set of lists as well (allow and deny).  i used the linked
> lists for simplicity and proof of concept.  still lookup time is
> (worst case) O(p+a) for allow and O(p+d) for deny case.  where p =3D
> number of ports that have rules, a,d=3D number of allow,deny rules
> respectively.  so if there is no rule for that user/group on that
> port, the worst possible search time is O(p+d+a).  which is not too
> horrible.

just a little note: what about /dev/ports/(tcp|tcp6|udp|udp6)/1-65535
nodes with appropriate owner/group or even permissions (e.g. x as an
"allow binding" flag)?


regards,

--=20
-- Lubomir Sedlacik <salo@Xtrmntr.org>   ASCII Ribbon campaign against  /"\=
 --
--                  <salo@silcnet.org>   e-mail in gratuitous HTML and  \ /=
 --
--                                       Microsoft proprietary formats   X =
 --
-- PGPkey: http://Xtrmntr.org/salo.pgp                                  / \=
 --
-- Key Fingerprint: 75B2 2B96 CD75 0385 1C49  39B8 8B08 C30E 54BC 7263     =
 --

--0F1p//8PRICkK4MW
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (NetBSD)

iD8DBQE9kifRiwjDDlS8cmMRAsVBAJ9Be8GZk3aJaqKtTggb1y2jJKyoMQCdHVbZ
xVy4fROFxNYlrexluzddCDs=
=U/vr
-----END PGP SIGNATURE-----

--0F1p//8PRICkK4MW--