From owner-freebsd-questions@FreeBSD.ORG  Tue Sep 15 12:27:52 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B7BE2106568B
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Sep 2009 12:27:52 +0000 (UTC)
	(envelope-from mail25@bzerk.org)
Received: from ei.bzerk.org (tunnel490.ipv6.xs4all.nl
	[IPv6:2001:888:10:1ea::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 413D68FC12
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Sep 2009 12:27:52 +0000 (UTC)
Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1])
	by ei.bzerk.org (8.14.2/8.14.2) with ESMTP id n8FCRk5r027888;
	Tue, 15 Sep 2009 14:27:46 +0200 (CEST)
	(envelope-from mail25@bzerk.org)
Received: (from bulk@localhost)
	by ei.bzerk.org (8.14.2/8.14.2/Submit) id n8FCRkWi027887;
	Tue, 15 Sep 2009 14:27:46 +0200 (CEST)
	(envelope-from mail25@bzerk.org)
Date: Tue, 15 Sep 2009 14:27:46 +0200
From: Ruben de Groot <mail25@bzerk.org>
To: Freminlins <freminlins@gmail.com>
Message-ID: <20090915122746.GA27732@ei.bzerk.org>
Mail-Followup-To: Ruben de Groot <mail25@bzerk.org>,
	Freminlins <freminlins@gmail.com>, utisoft@gmail.com,
	FreeBSD Questions <freebsd-questions@freebsd.org>
References: <eeef1a4c0909140947s5f10b4cdidbd7b41a5539186c@mail.gmail.com>
	<b79ecaef0909141044l63ec4e76xdebba5f06e645b8e@mail.gmail.com>
	<eeef1a4c0909150339h78ae9b68j5c80a5e62ae55764@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <eeef1a4c0909150339h78ae9b68j5c80a5e62ae55764@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
	autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ei.bzerk.org
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1
	(ei.bzerk.org [127.0.0.1]); Tue, 15 Sep 2009 14:27:50 +0200 (CEST)
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>, utisoft@gmail.com
Subject: Re: Non-root user and accept() or listen()
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2009 12:27:52 -0000

On Tue, Sep 15, 2009 at 11:39:05AM +0100, Freminlins typed:
> 2009/9/14 Chris Rees <utisoft@googlemail.com>
> 
> >
> > Isn't this a bit drastic? Listening sockets are opened by very many
> > types of processes, as well as remembering that sendmail, BIND, and
> > others don't actually run as root... I suppose it'd be possible, but
> >  would it actually be useful?
> >
> 
> Sure, those open listening sockets. But those are things I want to listen.
> 
> Now suppose a user account was hacked, and "Bob" sets up a web server
> listening on some random port above 1024. If "Bob" couldn't use listen() he
> wouldn't be able to do that.

Haven't tried it, but you can probably set net.inet.ip.portrange.reservedhigh
to 65535. That way only root can bind(2) to any port.

Ruben