[Simh] simh and tap device under linux

[Tim Newsham]

> What adjustments are possible in a typical Unix/Linux system that allows 
> pcap to work usefully yet doesn't give root access?

I don't know.  At the least you can probably patch your kernel's
priv check for the device to check for root user or some tap group.
I haven't attempted this and do not know if other mechanisms
in the kernel might be easier.

Another approach would be to have a special daemon that opens the
socket on your behalf.  It would need to run as root, authenticate
the users that connected to it (you can fetch the remote uid over
a unix domain socket) and pass back the descriptor to the client
(can also be done over a unix domain socket).  Then simh would have
to be pathed to make use of this new mechanisms.

> I know some proposed running simh inside a VM inside the real computer, 
> with the VM having better ability to turn on network access at the per 
> socket level and providing the security against messing up the "real" 
> machine. But I get confused enough by simh inside a real computer, never 
> mind the VM level.

I'm not understanding how this works.  But before you explain, I'd
like to point out that most VMs are not designed to be security
barriers.  Running an OS inside VMWare does not give you security
guarantees about it not being able to attack the host system.  At
least so far VMWare has not been bold enough to claim so.

> Tim.

Tim Newsham
http://www.thenewsh.com/~newsham/