Non-root user and accept() or listen()

Mel Flynn mel.flynn+fbsd.questions at
Tue Sep 15 14:17:14 UTC 2009

On Monday 14 September 2009 18:47:18 Freminlins wrote:
> Hi,
> I am not sure if this exists (but don't think so), so I am asking.
> Is there a sysctl type thing to disallow non-root users, or indeed any
> specified user or group, from running a program with listen() ?
> What I am looking at is improving network security, such that if a user
> account is compromised it can then not be used to run a dodgy web
> server/whatever on a non-privileged port. Although I can firewall off any
> port I wish, it seems like an obvious thing to disallow any user from
> opening a listening socket in the first place. I am suggesting something
> like "sysctl user.socket_listen" with enable or disable.
> Am I being really daft? Or does this exist already?

See mac_portacl(4).

More information about the freebsd-questions mailing list