From owner-freebsd-hackers  Wed Jan 17  0:35:12 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189])
	by hub.freebsd.org (Postfix) with SMTP id 4F57637B6A5
	for <hackers@FreeBSD.ORG>; Wed, 17 Jan 2001 00:34:51 -0800 (PST)
Received: (qmail 14644 invoked by uid 1000); 17 Jan 2001 08:33:31 -0000
Date: Wed, 17 Jan 2001 10:33:30 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: "Walter W. Hop" <walter@binity.com>
Cc: "Michael R. Wayne" <wayne@staff.msen.com>, hackers@FreeBSD.ORG
Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general)
Message-ID: <20010117103330.L364@ringworld.oblivion.bg>
Mail-Followup-To: "Walter W. Hop" <walter@binity.com>,
	"Michael R. Wayne" <wayne@staff.msen.com>, hackers@FreeBSD.ORG
References: <200101170335.WAA18537@manor.msen.com> <19357397493.20010117074723@binity.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <19357397493.20010117074723@binity.com>; from walter@binity.com on Wed, Jan 17, 2001 at 07:47:23AM +0100
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Jan 17, 2001 at 07:47:23AM +0100, Walter W. Hop wrote:
> >    The exploit managed to start inetd, camped on the specified port
> 
> I guess, if it doesn't exist already, that it wouldn't be so hard to
> create a small patch to the kernel, so that only processes owned by root,
> or a certain group of users (let's say "daemon"), were allowed to set up
> listeners...

I've actually been thinking along the lines of something like that.
A bit more strict access control though - bind() on AF_INET and/or AF_INET6
disabled by default, except for certain uid/sockaddr pairs.  A kernel module
keeping a table of uid/sockaddr pairs, and a userland tool (bindcontrol?)
to feed it the necessary data.

Does this strike people as particularly useless? :)  I can think of at
least one situation where it would be useful - shell hosting with virtual
hostnames, where people are only allowed to have stuff listen on addresses
they themselves have registered.  And yes, I know about jail, and it seems
a bit too much of an overkill.

G'luck,
Peter

-- 
When you are not looking at it, this sentence is in Spanish.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message