From owner-freebsd-security  Mon Feb 21  5:43:20 2000
Delivered-To: freebsd-security@freebsd.org
Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179])
	by hub.freebsd.org (Postfix) with ESMTP id E1CE337BD4F
	for <freebsd-security@FreeBSD.ORG>; Mon, 21 Feb 2000 05:43:14 -0800 (PST)
	(envelope-from mencl@nenya.ms.mff.cuni.cz)
Received: from localhost (mencl@localhost)
	by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id OAA07413;
	Mon, 21 Feb 2000 14:43:10 +0100 (MET)
Date: Mon, 21 Feb 2000 14:43:10 +0100 (MET)
From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>
To: Tom Marchand <unixwiz@mediaone.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Controlled Network Access
In-Reply-To: <200002200009.TAA24866@duval.se.mediaone.net>
Message-ID: <Pine.GSO.4.10.10002211437470.4961-100000@nenya.ms.mff.cuni.cz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 19 Feb 2000, Tom Marchand wrote:

> I would like to control which users can access tcpip utilities(ftp,telnet,
> etc) by using groups.  I realize that this can be accomplished via the
> proper file permissions on each utility.  This works but it will not prevent
> somebody from compiling their own ftp, telnet etc.  My thought was to
> perform the authorization at the socket level.  This would entail
> modifaction of the kernel to only allow root or a member of the tcpip group
> to open a socket.  Does anybody know if this has been done or if it would
> even work?  I originally had this requirement at work to lock down external
> vendors.  Since we are an AIX shop it was quite easy.  On AIX you must be a
> member of the system group to access network utilities.


In Jun 99, a discussion was here proposing a new securelevel 4, at which
priviledged ports would be blocked even for root.

A result of the disceussion was, that a complete mechanism for
maintaining security policies regarding generic port-ranges would be
strongly welcome, however, I suppose nobody developed it yet.

If anybody did, that would be a solution for you.


You may search that thread by

Subject: proposed secure-level 4 patch


		Best regards

				Vlada Mencl



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message