Date: Tue, 15 Sep 2009 11:39:05 +0100 From: Freminlins <freminlins@gmail.com> To: utisoft@gmail.com Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Non-root user and accept() or listen() Message-ID: <eeef1a4c0909150339h78ae9b68j5c80a5e62ae55764@mail.gmail.com> In-Reply-To: <b79ecaef0909141044l63ec4e76xdebba5f06e645b8e@mail.gmail.com> References: <eeef1a4c0909140947s5f10b4cdidbd7b41a5539186c@mail.gmail.com> <b79ecaef0909141044l63ec4e76xdebba5f06e645b8e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/9/14 Chris Rees <utisoft@googlemail.com> > > Isn't this a bit drastic? Listening sockets are opened by very many > types of processes, as well as remembering that sendmail, BIND, and > others don't actually run as root... I suppose it'd be possible, but > would it actually be useful? > Sure, those open listening sockets. But those are things I want to listen. Now suppose a user account was hacked, and "Bob" sets up a web server listening on some random port above 1024. If "Bob" couldn't use listen() he wouldn't be able to do that. Of course, user accounts should be made secure, but what I am getting at is making the hack much less useful. > BTW, there may be an ipfw rule for this, I'll have to look it up when > my servers are back online! > > Chris > Frem. (Apologies for Gmail quoting, which is horrible).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?eeef1a4c0909150339h78ae9b68j5c80a5e62ae55764>