Date: Wed, 17 Jan 2001 18:13:06 +0300 (MSK) From: "Aleksandr A.Babaylov" <babolo@links.ru> To: roam@orbitel.bg (Peter Pentchev) Cc: walter@binity.com, wayne@staff.msen.com, hackers@FreeBSD.ORG Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) Message-ID: <200101171513.SAA07666@aaz.links.ru> In-Reply-To: <20010117103330.L364@ringworld.oblivion.bg> from "Peter Pentchev" at "Jan 17, 1 10:33:30 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Pentchev writes: > On Wed, Jan 17, 2001 at 07:47:23AM +0100, Walter W. Hop wrote: > > > The exploit managed to start inetd, camped on the specified port > > > > I guess, if it doesn't exist already, that it wouldn't be so hard to > > create a small patch to the kernel, so that only processes owned by root, > > or a certain group of users (let's say "daemon"), were allowed to set up > > listeners... > > I've actually been thinking along the lines of something like that. > A bit more strict access control though - bind() on AF_INET and/or AF_INET6 > disabled by default, except for certain uid/sockaddr pairs. A kernel module > keeping a table of uid/sockaddr pairs, and a userland tool (bindcontrol?) > to feed it the necessary data. > > Does this strike people as particularly useless? :) I can think of at > least one situation where it would be useful - shell hosting with virtual > hostnames, where people are only allowed to have stuff listen on addresses > they themselves have registered. And yes, I know about jail, and it seems > a bit too much of an overkill. A kernel module developping instead of jail IS the overkill. jail is easy configurable (after 2nd or 3th of them) -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101171513.SAA07666>