[cap-talk] Unix FDs as capabilities, preventing socket creation, kerberos etc?

Rob J Meijer rmeijer at xs4all.nl
Fri Nov 25 12:48:06 EST 2005

I'm all rather exited about the possibilities of using
unix domain socket filehandles as capabilities, and would like
to try and use the concept in some of my private projects.
But now looking at using the concept in a design, I'm running into a few
issues, that I hope maybe someopne on the list would have some usefull
thoughts about.

1) Using suid and chrootuid in process bootsttrap makes it possible to
give a single process part of the users authority. Using uid based
firewalling makes it possible to take away networking from a user id, so
far so good, but how about the two together, giving a process part of a
users disk access, but disabelling its networking without breaking the
users networking? Is it in unix in any way possible to have a process drop
its possibility to create new sockets?

2) When bootstrapping the basic interconnection process and socket
infrastructure, initialy authentication is essential. With normal
networking we have kerberos to take care of that, but over a tcp/ip socket
we can not
comunicate filehandles. Does anyone have any notion on how one could
integrate kerberos and the bootstrapping of a unix domain socket based
capability system design?


Rob J Meijer

More information about the cap-talk mailing list