Re: [Fed-Talk] Linux Capabilities, OSX equivalent?
Re: [Fed-Talk] Linux Capabilities, OSX equivalent?
- Subject: Re: [Fed-Talk] Linux Capabilities, OSX equivalent?
- From: Ernest Prabhakar <email@hidden>
- Date: Mon, 22 May 2006 10:54:45 -0700
Hi Brian,
On May 21, 2006, at 6:35 PM, Brian Raymond wrote:
This is a fairly in depth technical question I wouldn't normally
float on
the Fed-Talk list but since this is for a government customer and it
provides a chance to bring this topic up I thought It was appropriate.
You're welcome to ask on the darwin-dev lists, where more UNIX
hackers hang out. :-)
I have a strong Linux/BSD background so I generally find myself
knowing how
to do something in Linux and Free/OpenBSD however I can't always
find a
mapping for OSX. In this case I want to grant an unprivileged user the
ability to bind to reserved ports (< 1024) on OSX. It's somewhat
limited but
in Linux I can grant the capability "CAP_NET_BIND_SERVICE" to allow a
process to bind to a reserved port without it being (set)uid 0.
Does anyone
by chance know how you would accomplish that with OSX?
To the best of my knowledge, there is no standard way to allow
unprivileged users to bind to reserved ports. The "Mac OS X" way of
solving that problem is to bind to a high port, then advertise via
Bonjour. Otherwise, yeah, you'd need to first bind as uid 0 and then
drop privilege.
If you can provide more details about the _specific_ problem you're
trying to solve, I can try to find out if there is an easier way. If
your group has DTS incidents (say, from a Select membership), you
could also use those to help answer these kinds of questions.
The more general question is how do I add or remove fine grained
capabilities to users and/or processes in OSX in the standard DAC
security
model? I'm differentiating the standard DAC security model from any
more
robust MAC implementations coming down the pipe that someone might
mention,
mainly because I generally would still need to provide access using
DAC
since all solutions I'm aware of are layered.
I'm not sure I follow your question. Currently access control lists
are implemented in the filesystem, not at the process level. The
only "capabilities" I'm aware of are the Admin role, which is fairly
coarse-grained.
Thanks.
- Brian
(Since I'm on the topic one of the other things that FreeBSD and Linux
handle well is layer 2 bridging for ethernet interfaces, I looked a
little a
couple of months ago but couldn't find how to manage it in OSX
aside from
simple connection sharing)
You don't mean 802.11ad, do you?
--- Ernie P.
------------------------------------------------------------------------
-----------------
Ernest N. Prabhakar, Ph.D. (408) 974-3075 <ernest at apple.com>
Product Manager, Open Source & Open Standards; Mac OS X Product
Marketing
Apple Computer; 303-4SW 3 Infinite Loop; Cupertino, CA 95014
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden