Non-root user and accept() or listen()
freminlins at gmail.com
Tue Sep 15 10:39:07 UTC 2009
2009/9/14 Chris Rees <utisoft at googlemail.com>
> Isn't this a bit drastic? Listening sockets are opened by very many
> types of processes, as well as remembering that sendmail, BIND, and
> others don't actually run as root... I suppose it'd be possible, but
> would it actually be useful?
Sure, those open listening sockets. But those are things I want to listen.
Now suppose a user account was hacked, and "Bob" sets up a web server
listening on some random port above 1024. If "Bob" couldn't use listen() he
wouldn't be able to do that.
Of course, user accounts should be made secure, but what I am getting at is
making the hack much less useful.
> BTW, there may be an ipfw rule for this, I'll have to look it up when
> my servers are back online!
Frem. (Apologies for Gmail quoting, which is horrible).
More information about the freebsd-questions