Hi Alexander, 2015-08-09 14:55 GMT+02:00 Alexander Kabaev <[email protected]>: > On Sun, 9 Aug 2015 09:37:13 +0200 > It most definitely does work, this is what I have done to get my > network scripts work again. I wonder if there are other means of > restricting raw sockets that can be used to achieve the result > authors of rtsold had hoped or?
Yes, there sure are. We could for example call cap_rights_limit() on the socket and whitelist the exacty set of actions that the program needs. That said, it wouldn't make a difference in the end. It looks like rtsol/rtsold don't seem to drop any privileges or switch credentials after startup, assuming I haven't overlooked anything. Even if we were to restrict the raw socket, the process could always open a new one later on. I think it would make sense for now to just commit the patch that I proposed. Will push it into the tree tomorrow. Thanks, -- Ed Schouten <[email protected]> Nuxi, 's-Hertogenbosch, the Netherlands KvK/VAT number: 62051717 _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "[email protected]"
