Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP id AA5469 ; Fri, 01 Jan 93 01:46:15 EST Xref: sserve comp.protocols.tcp-ip:21151 comp.unix.bsd:9308 Newsgroups: comp.protocols.tcp-ip,comp.unix.bsd Path: sserve!manuel.anu.edu.au!munnari.oz.au!sgiblab!zaphod.mps.ohio-state.edu!caen!mtu.edu!tony From: tony@mtu.edu (Tony Dal Santo) Subject: Re: Limiting Telnet access. Message-ID: <1992Dec22.183213.10002@mtu.edu> Organization: Michigan Technological University References: <1992Dec21.211508.9555@mtu.edu> Date: Tue, 22 Dec 1992 18:32:13 GMT Lines: 37 tony@mtu.edu (Tony Dal Santo) writes: > >Along these lines, I am curious if anyone has an idea how to allow >certain users access to the network, and deny others. Something >like putting the user in group "network" to grant them access. By >access, I mean system call level access like socket(). Even better >would be to provide a list of addresses/networks that are restricted/ >allowed. > >I imagine with a streams implementation of tcp/ip, you could change >the perms on /dev/ip or /dev/tcp. > >Does anyone have any utilities for tracing a TCP port to a process number? > >Tony Dal Santo >tony@mtu.edu Evidently I was not too clear since I have received a few pointers directing me to inetd wrappers. I am interested in restricting/granting users access TO the network FROM my hosts. I can restrict access to the binaries (telnet, ftp, etc), but this doesn't stop them from compiling their own copies of these utilities. The only way I see to filter access is to control system calls like socket(), bind(), accept(). I can limit access to networks via routing tables, but this doesn't provide user-level granularity. While inetd wrappers are nice, I don't see them addressing the problem. Once I get access to your machine, I will bring my own set of utilities with me (inetd), and avoid the administrators attempts at logging. Granted that some of the users "daemons" (e.g. ftpd) won't be as functional as the real ones because they don't run as root, but they will certainly let me gain access and avoid being logged. Sure, as an administrator I can see these processes, and kill them off. Then the users will restart them via cron(8) and at(1). I don't have the time to play hide and seek with users. Tony Dal Santo