UidBind LSM

This simple module allows call to bind() function only to uid/gid defined in a configfs tree.

Example:

Admin joe has loaded the uidbind module, then User sam (with uid 1017) tries bind() on port 8081:

	sam@hell:~$ nc -l -p 8081
	Can't grab 0.0.0.0:8081 with bind : Operation not permitted
	
Now, Admin joe goes to /config/uidbind and...

	root@hell:/config/uidbind: mkdir 8081
	root@hell:/config/uidbind: cat 8081/uid
	0
	root@hell:/config/uidbind: echo 1017 >8081/uid
	root@hell:/config/uidbind: cat 8081/uid
	1017
	

...then User sam retries binding:
		sam@hell:~$ nc -l -p 8081
		
	
...now it works and sam is happy

Admin joe has 2 ipv4 addresses configured on his server (192.168.1.2 and 192.168.1.3) and he wants to assign port 8082 to 2 different users:
tom (uid 1017) and rob (uid 1026)
		root@hell:/config/uidbind: mkdir 8082
		root@hell:/config/uidbind: mkdir 8082/192.168.1.2
		root@hell:/config/uidbind: mkdir 8082/192.168.1.3
		root@hell:/config/uidbind: echo 1017 > 8082/192.168.1.2/uid
		root@hell:/config/uidbind: echo 1026 > 8082/192.168.1.3/uid
	

...now tom can bind port 8082 on address 192.168.1.2 and rob on address 192.168.1.3.

But Admin joe is paranoid and knows that rob needs only port 8082 on udp:
		root@hell:/config/uidbind: echo 0 > 8082/192.168.1.3/uid	
		root@hell:/config/uidbind: echo 1026 > 8082/192.168.1.3/udp_uid	
	


Admin joe now wants to allow bind() on port 8083 to all members of group "binders" (gid 1717):
		root@hell:/config/uidbind: mkdir 8083
		root@hell:/config/uidbind: echo 1717 >8083/gid
	


...but User dom (uid 1030) needs to bind() on all udp ports still unconfigured by Admin joe:
		root@hell:/config/uidbind: mkdir all
		root@hell:/config/uidbind: echo 1030 >all/udp_uid
	

Admin joe now wants that only python scripts owned by User dom can bind() on port 8017:
		root@hell:/config/uidbind: mkdir 8017
		root@hell:/config/uidbind: echo 1030 >8017/uid
		root@hell:/config/uidbind: echo python >8017/comm
	


You can download uidbind module from here:
uidbind-lsm-0.4.tar.gz

patch against vanilla 2.6.21: uidbind-lsm-0.4.patch


You need (obviously) the LSM framework and a system with configfs enabled:
	root@hell: modprobe configfs
	root@hell: mount -t configfs none /config
	

POWERED BY UNBIT