setfacl on Solaris 10 /dev/tcp
Sergey Prilutsky
sprilutsky at hotmail.com
Mon Aug 3 08:55:48 EDT 2009
Hi there,
In Solaris 8 we could disallow to telnet out by simply setfacl on /dev/tcp
link or actual
/devices/pseudo/tcp at 0:tcp - that would block telnet and other binaries using
TCPIP
Solaris 8:
linutlb8[/] # setfacl -m group:nonet:--- /dev/tcp
linutlb8[/] # getfacl -a /dev/tcp
# file: /dev/tcp
# owner: root
# group: sys
user::rw-
group::rw- #effective:rw-
group:nonet:--- #effective:---
mask:rw-
other:rw-
linutlb8[/export/home/a74468] # telnet linupns2 2222
Trying 10.20.61.5...
telnet: socket: Permission denied
That does not work in Solaris 10 - We tried RBAC and priv (priviliges) - still
could not
get it to work. We need to be able to allow a process to open a device for
just receiving network traffic, sending traffic is disallowed
In privileges world looks like there is a "PRIV_NET_OBSERVABILITY - Allow a
process to open a device for just receiving network traffic, sending traffic
is disallowed."
However, it is not available in Solaris 10, it is available in Solaris 11
Anyone knows the way to accomplish that in Solaris 10?
_________________________________________________________________
Express your personality in color! Preview and select themes for Hotmail..
http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=PID23391::
T:WLMTAGL:ON:WL:en-US:WM_HYGN_express:082009
More information about the sunmanagers
mailing list