*BSD News Article 9251


Return to BSD News archive

Received: by minnie.vk1xwt.ampr.org with NNTP
	id AA5469 ; Fri, 01 Jan 93 01:46:15 EST
Xref: sserve comp.protocols.tcp-ip:21151 comp.unix.bsd:9308
Newsgroups: comp.protocols.tcp-ip,comp.unix.bsd
Path: sserve!manuel.anu.edu.au!munnari.oz.au!sgiblab!zaphod.mps.ohio-state.edu!caen!mtu.edu!tony
From: tony@mtu.edu (Tony Dal Santo)
Subject: Re: Limiting Telnet access.
Message-ID: <1992Dec22.183213.10002@mtu.edu>
Organization: Michigan Technological University
References: <1992Dec21.211508.9555@mtu.edu>
Date: Tue, 22 Dec 1992 18:32:13 GMT
Lines: 37

tony@mtu.edu (Tony Dal Santo) writes:
>
>Along these lines, I am curious if anyone has an idea how to allow
>certain users access to the network, and deny others.  Something
>like putting the user in group "network" to grant them access.  By
>access, I mean system call level access like socket().  Even better
>would be to provide a list of addresses/networks that are restricted/
>allowed.
>
>I imagine with a streams implementation of tcp/ip, you could change
>the perms on /dev/ip or /dev/tcp.
>
>Does anyone have any utilities for tracing a TCP port to a process number?
>
>Tony Dal Santo
>tony@mtu.edu

Evidently I was not too clear since I have received a few pointers
directing me to inetd wrappers.  I am interested in restricting/granting
users access TO the network FROM my hosts.  I can restrict access to
the binaries (telnet, ftp, etc), but this doesn't stop them from compiling
their own copies of these utilities.  The only way I see to filter access
is to control system calls like socket(), bind(), accept().  I can limit
access to networks via routing tables, but this doesn't provide user-level
granularity.

While inetd wrappers are nice, I don't see them addressing the problem.
Once I get access to your machine, I will bring my own set of utilities
with me (inetd), and avoid the administrators attempts at logging.
Granted that some of the users "daemons" (e.g. ftpd) won't be as functional
as the real ones because they don't run as root, but they will certainly
let me gain access and avoid being logged.  Sure, as an administrator I
can see these processes, and kill them off.  Then the users will restart
them via cron(8) and at(1).  I don't have the time to play hide and seek
with users.

Tony Dal Santo