Gentoo Wiki ArchivesGentoo Wiki

Accessfs

This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Contents

Objective

To have working accessfs permission management system and ports below 1024 accessible (bind-able) by non-privileged user.

What's it and what's it for

Accessfs is a virtual filesystem used for permission management. In this HOWTO we'll cover IP port permissions. On usual POSIX systems, ports <1024 are restricted to the superuser only, forcing a daemon to start as a superuser (creating a potential security threat if priviledges aren't dropped properly).

Cool, let's do it

Download the appropriate (= compatible with your kernel) version of accessfs kernel patch from http://www.olafdietsche.de/linux/accessfs/. Now make sure your kernel symlink points to correct version:

ls -l /usr/src/linux

If it's OK, go to that directory and apply the patch you've just downloaded:

zcat /path/to/the/accessfs-patch.gz | patch -p1

If the patch went OK, continue with make menuconfig (or xconfig, oldconfig... whatever you like) and configure the accessfs part like this:

Linux Kernel Configuration: Accessfs Kernel Modules Config
File Systems  --->
   Miscellanenous filesystems  --->
      <M> Accessfs support (Experimental)
      <M>   User permission based IP ports
      (1024)  Range of protected ports (1024-65536) (NEW)
      <M>   User permission based capabilities

I recommend to compile them as modules, so you can easily turn it on and off and you don't have to reboot. Port range we want to protect can be specified as a module parameter (max_prot_sock) at load time. Now compile these modules and install them, remerge any required module packages as well (alsa-driver, nvidia-kernel, ati-drivers, realtime-lsm... et cetera) and run update-modules:

make modules
make modules_install
update-modules

Now we should try loading them...

modprobe accessfs
modprobe usercaps
modprobe userports

Finally, chown a port and try if a user-mode server binds to it.

chown your_username /proc/access/net/ip/bind/PORT
foo-server --port PORT

Add these 3 modules to /etc/modules.autoload.d/kernel-2.6 so they load during boot and you're done.

Conclusion

Ports represented by files now reside in /proc/access/net/ip/bind/, you may chmod and chown them as you wish. Your changes will not affect root-based servers, so it's quite indestructive.


Last modified: Mon, 21 Jul 2008 09:46:00 +1000 Hits: 10,717

Created by NickStallman.net, Luxury Homes Australia
Real estate agents should list their apartments, townhouses and units in Australia.