Date: Mon, 21 Feb 2000 14:43:10 +0100 (MET) From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> To: Tom Marchand <unixwiz@mediaone.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Controlled Network Access Message-ID: <Pine.GSO.4.10.10002211437470.4961-100000@nenya.ms.mff.cuni.cz> In-Reply-To: <200002200009.TAA24866@duval.se.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 19 Feb 2000, Tom Marchand wrote: > I would like to control which users can access tcpip utilities(ftp,telnet, > etc) by using groups. I realize that this can be accomplished via the > proper file permissions on each utility. This works but it will not prevent > somebody from compiling their own ftp, telnet etc. My thought was to > perform the authorization at the socket level. This would entail > modifaction of the kernel to only allow root or a member of the tcpip group > to open a socket. Does anybody know if this has been done or if it would > even work? I originally had this requirement at work to lock down external > vendors. Since we are an AIX shop it was quite easy. On AIX you must be a > member of the system group to access network utilities. In Jun 99, a discussion was here proposing a new securelevel 4, at which priviledged ports would be blocked even for root. A result of the disceussion was, that a complete mechanism for maintaining security policies regarding generic port-ranges would be strongly welcome, however, I suppose nobody developed it yet. If anybody did, that would be a solution for you. You may search that thread by Subject: proposed secure-level 4 patch Best regards Vlada Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10002211437470.4961-100000>