Accessfs

Objective

To have working accessfs permission management system and ports below 1024 accessible (bind-able) by non-privileged user.

What's it and what's it for

Accessfs is a virtual filesystem used for permission management. In this HOWTO we'll cover IP port permissions. On usual POSIX systems, ports <1024 are restricted to the superuser only, forcing a daemon to start as a superuser (creating a potential security threat if priviledges aren't dropped properly).

Cool, let's do it

Download the appropriate (= compatible with your kernel) version of accessfs kernel patch from http://www.olafdietsche.de/linux/accessfs/. Now make sure your kernel symlink points to correct version:

ls -l /usr/src/linux

If it's OK, go to that directory and apply the patch you've just downloaded:

zcat /path/to/the/accessfs-patch.gz | patch -p1

If the patch went OK, continue with make menuconfig (or xconfig, oldconfig... whatever you like) and configure the accessfs part like this:

File Systems  --->
   Miscellanenous filesystems  --->
      <M> Accessfs support (Experimental)
      <M>   User permission based IP ports
      (1024)  Range of protected ports (1024-65536) (NEW)
      <M>   User permission based capabilities

I recommend to compile them as modules, so you can easily turn it on and off and you don't have to reboot. Port range we want to protect can be specified as a module parameter (max_prot_sock) at load time. Now compile these modules and install them, remerge any required module packages as well (alsa-driver, nvidia-kernel, ati-drivers, realtime-lsm... et cetera) and run update-modules:

make modules
make modules_install
update-modules

Now we should try loading them...

modprobe accessfs
modprobe usercaps
modprobe userports

Finally, chown a port and try if a user-mode server binds to it.

chown your_username /proc/access/net/ip/bind/PORT
foo-server --port PORT

Add these 3 modules to /etc/modules.autoload.d/kernel-2.6 so they load during boot and you're done.