Date: Wed, 17 Jan 2001 12:29:16 +0200 From: Peter Pentchev <roam@orbitel.bg> To: David Malone <dwmalone@maths.tcd.ie> Cc: "Walter W. Hop" <walter@binity.com>, "Michael R. Wayne" <wayne@staff.msen.com>, hackers@FreeBSD.ORG Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) Message-ID: <20010117122916.O364@ringworld.oblivion.bg> In-Reply-To: <20010117101703.A25338@walton.maths.tcd.ie>; from dwmalone@maths.tcd.ie on Wed, Jan 17, 2001 at 10:17:03AM %2B0000 References: <200101170335.WAA18537@manor.msen.com> <19357397493.20010117074723@binity.com> <20010117103330.L364@ringworld.oblivion.bg> <20010117101703.A25338@walton.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 17, 2001 at 10:17:03AM +0000, David Malone wrote: > On Wed, Jan 17, 2001 at 10:33:30AM +0200, Peter Pentchev wrote: > > > I've actually been thinking along the lines of something like that. > > A bit more strict access control though - bind() on AF_INET and/or AF_INET6 > > disabled by default, except for certain uid/sockaddr pairs. A kernel module > > keeping a table of uid/sockaddr pairs, and a userland tool (bindcontrol?) > > to feed it the necessary data. > > I think it would be very difficult to do this sensibly. You might > be able to stop people listening on tcp ports, but if you stop > people listening on UDP ports then DNS stops working. Yes, I know about the problems with UDP.. there are not too many undesirable things users may run on UDP though, so for the first approximation, I'd keep restrictions to TCP only. > (Stopping people listening on TCP ports is also likely to break > ssh, ftp and various other things - tough that may be desirable > in the situation in question.) ftp has a passive mode; how exactly does this break ssh? (or do you mean connection forwarding?) Anyway, with a bit more thought, users may be allowed to bind to some kind of 'primary' address (hmm maybe the distinction between an interface address and interface alias could be applied here).. or just told 'tough!' :) G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010117122916.O364>