From owner-freebsd-questions@FreeBSD.ORG Mon Sep 14 17:45:09 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAA16106566B for ; Mon, 14 Sep 2009 17:45:09 +0000 (UTC) (envelope-from utisoft@googlemail.com) Received: from mail-bw0-f206.google.com (mail-bw0-f206.google.com [209.85.218.206]) by mx1.freebsd.org (Postfix) with ESMTP id 79F5C8FC1F for ; Mon, 14 Sep 2009 17:45:09 +0000 (UTC) Received: by bwz2 with SMTP id 2so2123066bwz.43 for ; Mon, 14 Sep 2009 10:45:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=Upx8QcSFksIrB35uaqimJkZOXgalBPdeswi3zNCnXFY=; b=JCPPs1cz27eCiCxnhMcFzoZuZdrhaBX2MKHb1tmRtaaMZ4bgMhFpHjRs55qAqszyXY 5tHJI1qd1bde9F8LZGv5UtoAUvVfKuceF3t+7jweOpCTPIl41ECiymY0jyaReOXwSKs2 8ds864N/ZIbwP4iqcvhm1Wk9cLWfFCY308vt4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; b=LY8RXA30NPeNqzWfq43LdEQNPC3Txi+nW22k2cEEfEVdhXX0fi2HTYSb5uX5zvWkqB ByIk7kYV8HIX2MqgQd8nn85x14AaBKWi5/3Cc3tOWCKTUJT7mr7SecZ6oiIX19+zuHYD MLFzvzKAarAX3G39sUEjF+eGZbgDrEP6QaFzU= MIME-Version: 1.0 Received: by 10.204.148.69 with SMTP id o5mr5393523bkv.99.1252950308542; Mon, 14 Sep 2009 10:45:08 -0700 (PDT) In-Reply-To: References: From: Chris Rees Date: Mon, 14 Sep 2009 18:44:48 +0100 Message-ID: To: Freminlins Content-Type: text/plain; charset=ISO-8859-1 Cc: FreeBSD Questions Subject: Re: Non-root user and accept() or listen() X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Sep 2009 17:45:10 -0000 2009/9/14 Freminlins : > Hi, > > I am not sure if this exists (but don't think so), so I am asking. > > Is there a sysctl type thing to disallow non-root users, or indeed any > specified user or group, from running a program with listen() ? > > What I am looking at is improving network security, such that if a user > account is compromised it can then not be used to run a dodgy web > server/whatever on a non-privileged port. Although I can firewall off any > port I wish, it seems like an obvious thing to disallow any user from > opening a listening socket in the first place. I am suggesting something > like "sysctl user.socket_listen" with enable or disable. > > Am I being really daft? Or does this exist already? > > > Cheers, > Frem. Isn't this a bit drastic? Listening sockets are opened by very many types of processes, as well as remembering that sendmail, BIND, and others don't actually run as root... I suppose it'd be possible, but would it actually be useful? BTW, there may be an ipfw rule for this, I'll have to look it up when my servers are back online! Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list?