Re: Non-root user and accept() or listen()

2009-09-15 Thread Freminlins
2009/9/14 Chris Rees utis...@googlemail.com


 Isn't this a bit drastic? Listening sockets are opened by very many
 types of processes, as well as remembering that sendmail, BIND, and
 others don't actually run as root... I suppose it'd be possible, but
  would it actually be useful?


Sure, those open listening sockets. But those are things I want to listen.

Now suppose a user account was hacked, and Bob sets up a web server
listening on some random port above 1024. If Bob couldn't use listen() he
wouldn't be able to do that.

Of course, user accounts should be made secure, but what I am getting at is
making the hack much less useful.


 BTW, there may be an ipfw rule for this, I'll have to look it up when
 my servers are back online!

 Chris


Frem. (Apologies for Gmail quoting, which is horrible).
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Non-root user and accept() or listen()

2009-09-15 Thread Ruben de Groot
On Tue, Sep 15, 2009 at 11:39:05AM +0100, Freminlins typed:
 2009/9/14 Chris Rees utis...@googlemail.com
 
 
  Isn't this a bit drastic? Listening sockets are opened by very many
  types of processes, as well as remembering that sendmail, BIND, and
  others don't actually run as root... I suppose it'd be possible, but
   would it actually be useful?
 
 
 Sure, those open listening sockets. But those are things I want to listen.
 
 Now suppose a user account was hacked, and Bob sets up a web server
 listening on some random port above 1024. If Bob couldn't use listen() he
 wouldn't be able to do that.

Haven't tried it, but you can probably set net.inet.ip.portrange.reservedhigh
to 65535. That way only root can bind(2) to any port.

Ruben

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Non-root user and accept() or listen()

2009-09-15 Thread Mel Flynn
On Monday 14 September 2009 18:47:18 Freminlins wrote:
 Hi,
 
 I am not sure if this exists (but don't think so), so I am asking.
 
 Is there a sysctl type thing to disallow non-root users, or indeed any
 specified user or group, from running a program with listen() ?
 
 What I am looking at is improving network security, such that if a user
 account is compromised it can then not be used to run a dodgy web
 server/whatever on a non-privileged port. Although I can firewall off any
 port I wish, it seems like an obvious thing to disallow any user from
 opening a listening socket in the first place. I am suggesting something
 like sysctl user.socket_listen with enable or disable.
 
 Am I being really daft? Or does this exist already?

See mac_portacl(4).
-- 
Mel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


Re: Non-root user and accept() or listen()

2009-09-14 Thread Chris Rees
2009/9/14 Freminlins freminl...@gmail.com:
 Hi,

 I am not sure if this exists (but don't think so), so I am asking.

 Is there a sysctl type thing to disallow non-root users, or indeed any
 specified user or group, from running a program with listen() ?

 What I am looking at is improving network security, such that if a user
 account is compromised it can then not be used to run a dodgy web
 server/whatever on a non-privileged port. Although I can firewall off any
 port I wish, it seems like an obvious thing to disallow any user from
 opening a listening socket in the first place. I am suggesting something
 like sysctl user.socket_listen with enable or disable.

 Am I being really daft? Or does this exist already?


 Cheers,
 Frem.


Isn't this a bit drastic? Listening sockets are opened by very many
types of processes, as well as remembering that sendmail, BIND, and
others don't actually run as root... I suppose it'd be possible, but
would it actually be useful?

BTW, there may be an ipfw rule for this, I'll have to look it up when
my servers are back online!

Chris



-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in a mailing list?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org