Date: Tue, 15 Sep 2009 16:17:11 +0200 From: Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net> To: freebsd-questions@freebsd.org Cc: Freminlins <freminlins@gmail.com> Subject: Re: Non-root user and accept() or listen() Message-ID: <200909151617.11720.mel.flynn%2Bfbsd.questions@mailing.thruhere.net> In-Reply-To: <eeef1a4c0909140947s5f10b4cdidbd7b41a5539186c@mail.gmail.com> References: <eeef1a4c0909140947s5f10b4cdidbd7b41a5539186c@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 14 September 2009 18:47:18 Freminlins wrote: > Hi, > > I am not sure if this exists (but don't think so), so I am asking. > > Is there a sysctl type thing to disallow non-root users, or indeed any > specified user or group, from running a program with listen() ? > > What I am looking at is improving network security, such that if a user > account is compromised it can then not be used to run a dodgy web > server/whatever on a non-privileged port. Although I can firewall off any > port I wish, it seems like an obvious thing to disallow any user from > opening a listening socket in the first place. I am suggesting something > like "sysctl user.socket_listen" with enable or disable. > > Am I being really daft? Or does this exist already? See mac_portacl(4). -- Mel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909151617.11720.mel.flynn%2Bfbsd.questions>