Non-root user and accept() or listen()
Ruben de Groot
mail25 at bzerk.org
Tue Sep 15 12:27:52 UTC 2009
On Tue, Sep 15, 2009 at 11:39:05AM +0100, Freminlins typed:
> 2009/9/14 Chris Rees <utisoft at googlemail.com>
>
> >
> > Isn't this a bit drastic? Listening sockets are opened by very many
> > types of processes, as well as remembering that sendmail, BIND, and
> > others don't actually run as root... I suppose it'd be possible, but
> > would it actually be useful?
> >
>
> Sure, those open listening sockets. But those are things I want to listen.
>
> Now suppose a user account was hacked, and "Bob" sets up a web server
> listening on some random port above 1024. If "Bob" couldn't use listen() he
> wouldn't be able to do that.
Haven't tried it, but you can probably set net.inet.ip.portrange.reservedhigh
to 65535. That way only root can bind(2) to any port.
Ruben
More information about the freebsd-questions
mailing list