From owner-freebsd-questions@FreeBSD.ORG  Tue Sep 15 14:17:14 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 40D411065676
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Sep 2009 14:17:14 +0000 (UTC)
	(envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net)
Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net
	[66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 127058FC1C
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Sep 2009 14:17:13 +0000 (UTC)
Received: from smoochies.rachie.is-a-geek.net
	(mailhub.lan.rachie.is-a-geek.net [192.168.2.11])
	by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id 979217E821;
	Tue, 15 Sep 2009 06:17:26 -0800 (AKDT)
From: Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net>
To: freebsd-questions@freebsd.org
Date: Tue, 15 Sep 2009 16:17:11 +0200
User-Agent: KMail/1.12.1 (FreeBSD/8.0-BETA4; KDE/4.3.1; i386; ; )
References: <eeef1a4c0909140947s5f10b4cdidbd7b41a5539186c@mail.gmail.com>
In-Reply-To: <eeef1a4c0909140947s5f10b4cdidbd7b41a5539186c@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200909151617.11720.mel.flynn+fbsd.questions@mailing.thruhere.net>
Cc: Freminlins <freminlins@gmail.com>
Subject: Re: Non-root user and accept() or listen()
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2009 14:17:14 -0000

On Monday 14 September 2009 18:47:18 Freminlins wrote:
> Hi,
> 
> I am not sure if this exists (but don't think so), so I am asking.
> 
> Is there a sysctl type thing to disallow non-root users, or indeed any
> specified user or group, from running a program with listen() ?
> 
> What I am looking at is improving network security, such that if a user
> account is compromised it can then not be used to run a dodgy web
> server/whatever on a non-privileged port. Although I can firewall off any
> port I wish, it seems like an obvious thing to disallow any user from
> opening a listening socket in the first place. I am suggesting something
> like "sysctl user.socket_listen" with enable or disable.
> 
> Am I being really daft? Or does this exist already?

See mac_portacl(4).
-- 
Mel