From owner-freebsd-hackers Wed Jan 17 2:17:28 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by hub.freebsd.org (Postfix) with SMTP id BC6A237B401 for ; Wed, 17 Jan 2001 02:17:07 -0800 (PST) Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP id ; 17 Jan 2001 10:17:03 +0000 (GMT) Date: Wed, 17 Jan 2001 10:17:03 +0000 From: David Malone To: Peter Pentchev Cc: "Walter W. Hop" , "Michael R. Wayne" , hackers@FreeBSD.ORG Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) Message-ID: <20010117101703.A25338@walton.maths.tcd.ie> References: <200101170335.WAA18537@manor.msen.com> <19357397493.20010117074723@binity.com> <20010117103330.L364@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010117103330.L364@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, Jan 17, 2001 at 10:33:30AM +0200 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Jan 17, 2001 at 10:33:30AM +0200, Peter Pentchev wrote: > I've actually been thinking along the lines of something like that. > A bit more strict access control though - bind() on AF_INET and/or AF_INET6 > disabled by default, except for certain uid/sockaddr pairs. A kernel module > keeping a table of uid/sockaddr pairs, and a userland tool (bindcontrol?) > to feed it the necessary data. I think it would be very difficult to do this sensibly. You might be able to stop people listening on tcp ports, but if you stop people listening on UDP ports then DNS stops working. (Stopping people listening on TCP ports is also likely to break ssh, ftp and various other things - tough that may be desirable in the situation in question.) David. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message