From owner-freebsd-questions@FreeBSD.ORG Mon Sep 14 16:47:19 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C298106566C for ; Mon, 14 Sep 2009 16:47:19 +0000 (UTC) (envelope-from freminlins@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id 0574B8FC21 for ; Mon, 14 Sep 2009 16:47:18 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 4so494921eyf.3 for ; Mon, 14 Sep 2009 09:47:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=73zkOyoFTHAsCMnDpvvoMGKGLgrko4IVmlMOyJXQf7o=; b=sKc/8hfAxpZAMUdfLZ92vnAWGhn2V2sQPBo8gG9sLbrvHCo0DN0lafQqyb2HJ3WxNI wPrO7PR9o7/yPnfZ2PDeMhaddh71lKvyCaCmAgEYzDkTE/QRIv5wTUrAHsqtCbm6e2EJ BqwQ5PzK96ul2AQXPtLs/zb9MBp+uUE8UQrHo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=EYWaKIDQjmeezys/2Sf4VNezeyRZ//M3/k/EzOGD0plZYLs5MxQ+j0gYGZbqbBdivv Jyys+hywZpQ2/DSADdsv7u8Y1ujTOrWNeh7gjp17tj3JCgt/jvOyJ4EPnOav/pRerBHC Fj7Lx0uqC0/n1GqtXDJO8vW1vQxIriz/jiss0= MIME-Version: 1.0 Received: by 10.211.147.10 with SMTP id z10mr7212379ebn.61.1252946838035; Mon, 14 Sep 2009 09:47:18 -0700 (PDT) Date: Mon, 14 Sep 2009 17:47:18 +0100 Message-ID: From: Freminlins To: FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Non-root user and accept() or listen() X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Sep 2009 16:47:19 -0000 Hi, I am not sure if this exists (but don't think so), so I am asking. Is there a sysctl type thing to disallow non-root users, or indeed any specified user or group, from running a program with listen() ? What I am looking at is improving network security, such that if a user account is compromised it can then not be used to run a dodgy web server/whatever on a non-privileged port. Although I can firewall off any port I wish, it seems like an obvious thing to disallow any user from opening a listening socket in the first place. I am suggesting something like "sysctl user.socket_listen" with enable or disable. Am I being really daft? Or does this exist already? Cheers, Frem.