Non-root user and accept() or listen()

Ruben de Groot mail25 at
Tue Sep 15 12:27:52 UTC 2009

On Tue, Sep 15, 2009 at 11:39:05AM +0100, Freminlins typed:
> 2009/9/14 Chris Rees <utisoft at>
> >
> > Isn't this a bit drastic? Listening sockets are opened by very many
> > types of processes, as well as remembering that sendmail, BIND, and
> > others don't actually run as root... I suppose it'd be possible, but
> >  would it actually be useful?
> >
> Sure, those open listening sockets. But those are things I want to listen.
> Now suppose a user account was hacked, and "Bob" sets up a web server
> listening on some random port above 1024. If "Bob" couldn't use listen() he
> wouldn't be able to do that.

Haven't tried it, but you can probably set net.inet.ip.portrange.reservedhigh
to 65535. That way only root can bind(2) to any port.


More information about the freebsd-questions mailing list