Re: Non-root user and accept() or listen()
On Monday 14 September 2009 18:47:18 Freminlins wrote: > Hi, > > I am not sure if this exists (but don't think so), so I am asking. > > Is there a sysctl type thing to disallow non-root users, or indeed any > specified user or group, from running a program with listen() ? > > What I am looking at is improving network security, such that if a user > account is compromised it can then not be used to run a dodgy web > server/whatever on a non-privileged port. Although I can firewall off any > port I wish, it seems like an obvious thing to disallow any user from > opening a listening socket in the first place. I am suggesting something > like "sysctl user.socket_listen" with enable or disable. > > Am I being really daft? Or does this exist already? See mac_portacl(4). -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Non-root user and accept() or listen()
On Tue, Sep 15, 2009 at 11:39:05AM +0100, Freminlins typed: > 2009/9/14 Chris Rees > > > > > Isn't this a bit drastic? Listening sockets are opened by very many > > types of processes, as well as remembering that sendmail, BIND, and > > others don't actually run as root... I suppose it'd be possible, but > > would it actually be useful? > > > > Sure, those open listening sockets. But those are things I want to listen. > > Now suppose a user account was hacked, and "Bob" sets up a web server > listening on some random port above 1024. If "Bob" couldn't use listen() he > wouldn't be able to do that. Haven't tried it, but you can probably set net.inet.ip.portrange.reservedhigh to 65535. That way only root can bind(2) to any port. Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Non-root user and accept() or listen()
2009/9/14 Chris Rees > > Isn't this a bit drastic? Listening sockets are opened by very many > types of processes, as well as remembering that sendmail, BIND, and > others don't actually run as root... I suppose it'd be possible, but > would it actually be useful? > Sure, those open listening sockets. But those are things I want to listen. Now suppose a user account was hacked, and "Bob" sets up a web server listening on some random port above 1024. If "Bob" couldn't use listen() he wouldn't be able to do that. Of course, user accounts should be made secure, but what I am getting at is making the hack much less useful. > BTW, there may be an ipfw rule for this, I'll have to look it up when > my servers are back online! > > Chris > Frem. (Apologies for Gmail quoting, which is horrible). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Non-root user and accept() or listen()
2009/9/14 Freminlins : > Hi, > > I am not sure if this exists (but don't think so), so I am asking. > > Is there a sysctl type thing to disallow non-root users, or indeed any > specified user or group, from running a program with listen() ? > > What I am looking at is improving network security, such that if a user > account is compromised it can then not be used to run a dodgy web > server/whatever on a non-privileged port. Although I can firewall off any > port I wish, it seems like an obvious thing to disallow any user from > opening a listening socket in the first place. I am suggesting something > like "sysctl user.socket_listen" with enable or disable. > > Am I being really daft? Or does this exist already? > > > Cheers, > Frem. Isn't this a bit drastic? Listening sockets are opened by very many types of processes, as well as remembering that sendmail, BIND, and others don't actually run as root... I suppose it'd be possible, but would it actually be useful? BTW, there may be an ipfw rule for this, I'll have to look it up when my servers are back online! Chris -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in a mailing list? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"