From owner-freebsd-hackers  Wed Jan 17  2:30:58 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189])
	by hub.freebsd.org (Postfix) with SMTP id AAFE837B400
	for <hackers@FreeBSD.ORG>; Wed, 17 Jan 2001 02:30:38 -0800 (PST)
Received: (qmail 17145 invoked by uid 1000); 17 Jan 2001 10:29:16 -0000
Date: Wed, 17 Jan 2001 12:29:16 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: "Walter W. Hop" <walter@binity.com>,
	"Michael R. Wayne" <wayne@staff.msen.com>, hackers@FreeBSD.ORG
Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general)
Message-ID: <20010117122916.O364@ringworld.oblivion.bg>
Mail-Followup-To: David Malone <dwmalone@maths.tcd.ie>,
	"Walter W. Hop" <walter@binity.com>,
	"Michael R. Wayne" <wayne@staff.msen.com>, hackers@FreeBSD.ORG
References: <200101170335.WAA18537@manor.msen.com> <19357397493.20010117074723@binity.com> <20010117103330.L364@ringworld.oblivion.bg> <20010117101703.A25338@walton.maths.tcd.ie>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010117101703.A25338@walton.maths.tcd.ie>; from dwmalone@maths.tcd.ie on Wed, Jan 17, 2001 at 10:17:03AM +0000
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Jan 17, 2001 at 10:17:03AM +0000, David Malone wrote:
> On Wed, Jan 17, 2001 at 10:33:30AM +0200, Peter Pentchev wrote:
> 
> > I've actually been thinking along the lines of something like that.
> > A bit more strict access control though - bind() on AF_INET and/or AF_INET6
> > disabled by default, except for certain uid/sockaddr pairs.  A kernel module
> > keeping a table of uid/sockaddr pairs, and a userland tool (bindcontrol?)
> > to feed it the necessary data.
> 
> I think it would be very difficult to do this sensibly. You might
> be able to stop people listening on tcp ports, but if you stop
> people listening on UDP ports then DNS stops working.

Yes, I know about the problems with UDP.. there are not too many
undesirable things users may run on UDP though, so for the first
approximation, I'd keep restrictions to TCP only.

> (Stopping people listening on TCP ports is also likely to break
> ssh, ftp and various other things - tough that may be desirable
> in the situation in question.)

ftp has a passive mode; how exactly does this break ssh? (or do you
mean connection forwarding?)

Anyway, with a bit more thought, users may be allowed to bind to
some kind of 'primary' address (hmm maybe the distinction between
an interface address and interface alias could be applied here)..
or just told 'tough!' :)

G'luck,
Peter

-- 
When you are not looking at it, this sentence is in Spanish.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message