> > > >Further to what Seb said, in general, loopback sockets are treated as an > > >IPC mechanism and may be used by any random set of applications that have > > >no interest in actually using the network. That is, not having the > > >proposed NET_ACCESS privilege may cause random applications to fail even > > >though they never attempted to access the network. Is this really the > > >desired behavior? > > > > Yes. I wouldn't call it random; they're still INET sockets. > >They are inet sockets as an IPC mechanism that has nothing to do with >networking per se. Same with AF_UNIX sockets. That is, this privilege >will both prevent use of the network and prevent applications that happen >to use loopback and AF_UNIX sockets for IPC from working. We have no >control over what applications those may be.
Why would this affect AF_UNIX sockets? >In the case of loopback IPC: we do not support a system with lo0 unplumbed >because we do not know what applications will break. This proposal seems >to result in a system that is at least as unsupportable. No, because it is a basic privilege and so all applications will have the basic privileges unless they want to run without them. It is similar to all the other basic privileges: we can't tell whether an ordinary applications will or will not work without a specific basic privilege. The basic privileges have added a new class of users, "subusers". You can use it to contain applications (can't "call home") or users (can't squirrel data away on the Internet). When removing a basic privilege, the onus is on the administrator to determine that it will work for the particular user. Follow on projects will allow us to select what INET connections can be made; I do not believe that a carte blanche for "localhost" connections is warranted: it allows sending email out through sendmail using the submission port. Casper
