Date: Wed, 17 Jan 2001 10:33:30 +0200 From: Peter Pentchev <roam@orbitel.bg> To: "Walter W. Hop" <walter@binity.com> Cc: "Michael R. Wayne" <wayne@staff.msen.com>, hackers@FreeBSD.ORG Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) Message-ID: <20010117103330.L364@ringworld.oblivion.bg> In-Reply-To: <19357397493.20010117074723@binity.com>; from walter@binity.com on Wed, Jan 17, 2001 at 07:47:23AM %2B0100 References: <200101170335.WAA18537@manor.msen.com> <19357397493.20010117074723@binity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 17, 2001 at 07:47:23AM +0100, Walter W. Hop wrote: > > The exploit managed to start inetd, camped on the specified port > > I guess, if it doesn't exist already, that it wouldn't be so hard to > create a small patch to the kernel, so that only processes owned by root, > or a certain group of users (let's say "daemon"), were allowed to set up > listeners... I've actually been thinking along the lines of something like that. A bit more strict access control though - bind() on AF_INET and/or AF_INET6 disabled by default, except for certain uid/sockaddr pairs. A kernel module keeping a table of uid/sockaddr pairs, and a userland tool (bindcontrol?) to feed it the necessary data. Does this strike people as particularly useless? :) I can think of at least one situation where it would be useful - shell hosting with virtual hostnames, where people are only allowed to have stuff listen on addresses they themselves have registered. And yes, I know about jail, and it seems a bit too much of an overkill. G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010117103330.L364>