On Thu, 05 Aug 2004 10:48:43 -0500, Les Mikesell <les@xxxxxxxxxxxxxxxx> wrote: > But it still makes as much sense to require open() to pass the > access control restrictions as it does for every other device. It ceases to make sense once you realize that you are not opening the "device", per se, but simply a socket that is bourne by said device. Character and block devices use open() to open the device itself. A network device is "always on", so to speak, and you use socket() to create a communications channel through that device. > I was very surprised when I first saw that Linux > omitted such a basic basic security concept of unix (all the > magic happens in open()). As far as the network goes, it is > the same thing as Lindows/Linspire defaulting to letting everyone > run as root. I see your point. But this interface was designed over 20 years ago by the BSD team and it certainly made sense from their perspective to create a new set of system calls because this type of device did not neatly fit into the "everything is a file" paradigm that UNIX uses. But, clearly, it would be a great benefit if you could set your eth0 to 0600 root:root and prevent regular users from abusing the network card. The question is, though, what would doing that actually mean? I believe the impediment to this solution is that the card signals the kernel of incoming packets with no warning, and thus checking the user permissions is not possible since the handling of network devices happens all in interrupt context (i.e. not on behalf of a particular user). As well, the datalink, network and transport layers have no concept of user permissions or ownership and you couldn't tack one on without implementing a global authentication scheme that everyone involved adheres to. -- [ Tobias DiPasquale ] 0x636f6465736c696e67657240676d61696c2e636f6d
