On Tue, Sep 15, 2009 at 11:39:05AM +0100, Freminlins typed:
> 2009/9/14 Chris Rees <utis...@googlemail.com>
> 
> >
> > Isn't this a bit drastic? Listening sockets are opened by very many
> > types of processes, as well as remembering that sendmail, BIND, and
> > others don't actually run as root... I suppose it'd be possible, but
> >  would it actually be useful?
> >
> 
> Sure, those open listening sockets. But those are things I want to listen.
> 
> Now suppose a user account was hacked, and "Bob" sets up a web server
> listening on some random port above 1024. If "Bob" couldn't use listen() he
> wouldn't be able to do that.

Haven't tried it, but you can probably set net.inet.ip.portrange.reservedhigh
to 65535. That way only root can bind(2) to any port.

Ruben

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to