From owner-freebsd-security Sat Feb 19 16:15:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id E4D9837BC87 for ; Sat, 19 Feb 2000 16:15:44 -0800 (PST) (envelope-from cdf.lists@fxp.org) Received: by pawn.primelocation.net (Postfix, from userid 1016) id B2F7E9B17; Sat, 19 Feb 2000 19:15:43 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by pawn.primelocation.net (Postfix) with ESMTP id A6745BA1D; Sat, 19 Feb 2000 19:15:43 -0500 (EST) Date: Sat, 19 Feb 2000 19:15:43 -0500 (EST) From: "Chris D. Faulhaber" X-Sender: cdf.lists@pawn.primelocation.net To: Tom Marchand Cc: freebsd-security@freebsd.org Subject: Re: Controlled Network Access In-Reply-To: <200002200009.TAA24866@duval.se.mediaone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 19 Feb 2000, Tom Marchand wrote: > I would like to control which users can access tcpip utilities(ftp,telnet, > etc) by using groups. I realize that this can be accomplished via the > proper file permissions on each utility. This works but it will not prevent > somebody from compiling their own ftp, telnet etc. My thought was to > perform the authorization at the socket level. This would entail > modifaction of the kernel to only allow root or a member of the tcpip group > to open a socket. Does anybody know if this has been done or if it would > even work? I originally had this requirement at work to lock down external > vendors. Since we are an AIX shop it was quite easy. On AIX you must be a > member of the system group to access network utilities. > Although not at the socket() level, you may want to look into uid/gid filtering via ipfw. ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message