UidBind 0.4

UidBind is a simple module allows call to bind() function only to uid/gid defined in a configfs tree.

Example:

Admin joe has loaded the uidbind module, then User sam (with uid 1017) tries bind() on port 8081:


sam@hell:~$ nc -l -p 8081
Can't grab 0.0.0.0:8081 with bind : Operation not permitted

Now, Admin joe goes to /config/uidbind and...


root@hell:/config/uidbind: mkdir 8081
root@hell:/config/uidbind: cat 8081/uid
0
root@hell:/config/uidbind: echo 1017 >8081/uid
root@hell:/config/uidbind: cat 8081/uid
1017


...then User sam retries binding:
sam@hell:~$ nc -l -p 8081


...now it works and sam is happy

Admin joe has 2 ipv4 addresses configured on his server (192.168.1.2 and 192.168.1.3) and he wants to assign port 8082 to 2 different users:

tom (uid 1017) and rob (uid 1026)

root@hell:/config/uidbind: mkdir 8082
root@hell:/config/uidbind: mkdir 8082/192.168.1.2
root@hell:/config/uidbind: mkdir 8082/192.168.1.3
root@hell:/config/uidbind: echo 1017 > 8082/192.168.1.2/uid
root@hell:/config/uidbind: echo 1026 > 8082/192.168.1.3/uid


...now tom can bind port 8082 on address 192.168.1.2 and rob on address 192.168.1.3.

But Admin joe is paranoid and knows that rob needs only port 8082 on udp:

root@hell:/config/uidbind: echo 0 > 8082/192.168.1.3/uid
root@hell:/config/uidbind: echo 1026 > 8082/192.168.1.3/udp_uid



Admin joe now wants to allow bind() on port 8083 to all members of group "binders" (gid 1717):

root@hell:/config/uidbind: mkdir 8083
root@hell:/config/uidbind: echo 1717 >8083/gid



...but User dom (uid 1030) needs to bind() on all udp ports still unconfigured by Admin joe:

root@hell:/config/uidbind: mkdir all
root@hell:/config/uidbind: echo 1030 >all/udp_uid


Admin joe now wants that only python scripts owned by User dom can bind() on port 8017:

root@hell:/config/uidbind: mkdir 8017
root@hell:/config/uidbind: echo 1030 >8017/uid
root@hell:/config/uidbind: echo python >8017/comm

Product's homepage