On Tue, 24 Sep 2002, Paul Schenkeveld wrote: > Hi Thomas, > > On Tue, Sep 24, 2002 at 01:31:59AM +0200, tho wrote: > > hi Paul, > > > > have you considered using a "file descriptor passing" based technique > > (section 14.7 of Stevens' UNPv1) ? > > > > you may have a process with suser privs which creates file descriptors > > (e.g. socket bind()ed to a particular address and port) on demand and then > > passes back the descriptor to the requesting (unprivileged) process through > > a unix domain socket > > I know this technique but the real issue is about many pieces of > standard software, like BIND named, sendmail, syslogd and so on. > So this technique, although very usable for new projects, will > not solve this problem.
As long as the programs are dynamically linked, you can LD_PRELOAD a wrapper for bind() that passes the socket and address information to the privileged process that does the actual bind() call and replies with an errno value. It works. I've done it. $.02, /Mikko Mikko Työläjä[EMAIL PROTECTED] RSA Security To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
