Non-root user and accept() or listen()
Mel Flynn
mel.flynn+fbsd.questions at mailing.thruhere.net
Tue Sep 15 14:17:14 UTC 2009
On Monday 14 September 2009 18:47:18 Freminlins wrote:
> Hi,
>
> I am not sure if this exists (but don't think so), so I am asking.
>
> Is there a sysctl type thing to disallow non-root users, or indeed any
> specified user or group, from running a program with listen() ?
>
> What I am looking at is improving network security, such that if a user
> account is compromised it can then not be used to run a dodgy web
> server/whatever on a non-privileged port. Although I can firewall off any
> port I wish, it seems like an obvious thing to disallow any user from
> opening a listening socket in the first place. I am suggesting something
> like "sysctl user.socket_listen" with enable or disable.
>
> Am I being really daft? Or does this exist already?
See mac_portacl(4).
--
Mel
More information about the freebsd-questions
mailing list