From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 10:39:07 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B98BB1065670 for ; Tue, 15 Sep 2009 10:39:07 +0000 (UTC) (envelope-from freminlins@gmail.com) Received: from mail-ew0-f221.google.com (mail-ew0-f221.google.com [209.85.219.221]) by mx1.freebsd.org (Postfix) with ESMTP id 4E9698FC0C for ; Tue, 15 Sep 2009 10:39:06 +0000 (UTC) Received: by ewy21 with SMTP id 21so3551040ewy.8 for ; Tue, 15 Sep 2009 03:39:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=PHdXskbWHqIUGzdnTmC8cFqWe4pIzi4MifsTWckioEQ=; b=sMemHo0tFnH1sgsLiII6heqkJ8EvS51W7qLhEazCCWlA1o4TOevAvKKqCjRiPHkWtu QfoogFl9NpOjsl4kK20Z9/LG5yeRiZGWanXPeQNHO9lpaHkG8FIpzvzjQe8jrZtkY2TI qktN7latIDnD2VPmNhGwFv7zUB2LYIu9g5LoI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=gr39lVGmiWDczJMlspn9qjvVuIwlave/3taiME6KyaUOA9hvitHMT9v4QFNNeJWcl0 PVLDELNe9PCdCP1GvBPBymp3R1LXJHpQ9QAcaNm1hM7eONNGt594uav6hrtK+bO4qIJC 1K3EEf7ElDBK5VeTJBPzqRXvVFLXkmKC9eoGQ= MIME-Version: 1.0 Received: by 10.211.159.6 with SMTP id l6mr5599240ebo.56.1253011146003; Tue, 15 Sep 2009 03:39:06 -0700 (PDT) In-Reply-To: References: Date: Tue, 15 Sep 2009 11:39:05 +0100 Message-ID: From: Freminlins To: utisoft@gmail.com Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD Questions Subject: Re: Non-root user and accept() or listen() X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 10:39:07 -0000 2009/9/14 Chris Rees > > Isn't this a bit drastic? Listening sockets are opened by very many > types of processes, as well as remembering that sendmail, BIND, and > others don't actually run as root... I suppose it'd be possible, but > would it actually be useful? > Sure, those open listening sockets. But those are things I want to listen. Now suppose a user account was hacked, and "Bob" sets up a web server listening on some random port above 1024. If "Bob" couldn't use listen() he wouldn't be able to do that. Of course, user accounts should be made secure, but what I am getting at is making the hack much less useful. > BTW, there may be an ipfw rule for this, I'll have to look it up when > my servers are back online! > > Chris > Frem. (Apologies for Gmail quoting, which is horrible).