Non-root user and accept() or listen()

Chris Rees utisoft at
Mon Sep 14 17:45:10 UTC 2009

2009/9/14 Freminlins <freminlins at>:
> Hi,
> I am not sure if this exists (but don't think so), so I am asking.
> Is there a sysctl type thing to disallow non-root users, or indeed any
> specified user or group, from running a program with listen() ?
> What I am looking at is improving network security, such that if a user
> account is compromised it can then not be used to run a dodgy web
> server/whatever on a non-privileged port. Although I can firewall off any
> port I wish, it seems like an obvious thing to disallow any user from
> opening a listening socket in the first place. I am suggesting something
> like "sysctl user.socket_listen" with enable or disable.
> Am I being really daft? Or does this exist already?
> Cheers,
> Frem.

Isn't this a bit drastic? Listening sockets are opened by very many
types of processes, as well as remembering that sendmail, BIND, and
others don't actually run as root... I suppose it'd be possible, but
would it actually be useful?

BTW, there may be an ipfw rule for this, I'll have to look it up when
my servers are back online!


A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in a mailing list?

More information about the freebsd-questions mailing list