Date: Wed, 17 Jan 2001 10:17:03 +0000 From: David Malone <dwmalone@maths.tcd.ie> To: Peter Pentchev <roam@orbitel.bg> Cc: "Walter W. Hop" <walter@binity.com>, "Michael R. Wayne" <wayne@staff.msen.com>, hackers@FreeBSD.ORG Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) Message-ID: <20010117101703.A25338@walton.maths.tcd.ie> In-Reply-To: <20010117103330.L364@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, Jan 17, 2001 at 10:33:30AM %2B0200 References: <200101170335.WAA18537@manor.msen.com> <19357397493.20010117074723@binity.com> <20010117103330.L364@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 17, 2001 at 10:33:30AM +0200, Peter Pentchev wrote: > I've actually been thinking along the lines of something like that. > A bit more strict access control though - bind() on AF_INET and/or AF_INET6 > disabled by default, except for certain uid/sockaddr pairs. A kernel module > keeping a table of uid/sockaddr pairs, and a userland tool (bindcontrol?) > to feed it the necessary data. I think it would be very difficult to do this sensibly. You might be able to stop people listening on tcp ports, but if you stop people listening on UDP ports then DNS stops working. (Stopping people listening on TCP ports is also likely to break ssh, ftp and various other things - tough that may be desirable in the situation in question.) David. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010117101703.A25338>