Random thoughts: * revoking a "basic" privilege falls under the category of "buyer beware"; introducing a new basic privilege by itself doesn't break anything, rather, it's revoking it that might break something.
* IMO, Casper's point that Solaris 8 could achieve this with an ACL on /dev/tcp (and presumably on /dev/udp as well?) was interesting; perhaps in this sense, the privilege merely provides a different way of doing what could have been done (if in an undocumented sort of way) before. * A very cursory search via src.opensolaris.org of onnv-gate for localhost shows a lot of bogus hits (using that as a variable name where in fact something like the contents of uname -n gets stored in there). But there are enough interesting items remaining to leave me doubting that systemwide revocation of basic network privilege would leave the system runnable...although I rather doubt anyone is suggesting that such a thing be attempted or even should work...would there be any benefit to running like that which couldn't be achieved by simply not plumbing any non-loopback interface? * said search also leaves me thinking that there are some perl modules that would break; given the conversation about non-obviousness, and the dependencies among perl modules, that points out even more the broad scope of non-obvious breakage. * if a program uses a purely local IPC mechanism (AF_UNIX sockets, SysV IPC, POSIX IPC, etc), that is a very clear expression of intent. Using IP loopback (localhost) is, without knowing the code, ambiguous insofar as the program might have an option to bind to localhost or to a wildcard (all interfaces) with relatively little extra code. * efficiency: is there any documentation suggesting that AF_UNIX sockets may be more efficient than loopback AF_INET sockets? * observability: AFAIK, there have been relatively recent additions (last couple of years?) to make the loopback interface observable. Are (named, at least) AF_UNIX sockets also observable, or is there work in that direction? Absent that capability, there may remain some incentive for programs to use AF_INET sockets and localhost where they could otherwise use AF_UNIX sockets. * name services: to my way of thinking, the one area of non-obvious breakage where documentation might not be enough remediation would be if revocation of basic network privilege broke the various lookup routines; if e.g. "ls -l" couldn't get user and group names without that privilege, or worse yet, if whether it could depended on nsswitch.conf configuration, that might get ugly. I would _suppose_ that for anything cached by nscd, as long as nscd had that and such other privileges as it needed, it might not be a problem; but I think I'd like to see some testing. In general however, I don't see a big deal with new basic privileges as long as the approximate scope of consequences of revoking them is well documented, and as long as there are clearly programs such that they would still work without that privilege _and_ some benefit could be had by running them without that privilege. -- This message posted from opensolaris.org
