Date: Mon, 25 Nov 1996 23:03:32 +1030 (CST) From: Peter Childs <pjchilds@imforei.apana.org.au> To: shadows@whitefang.com (Thamer Al-Herbish), freebsd-questions@freebsd.org Subject: Re: Keeping users from bind'ing to ports Message-ID: <199611251233.XAA17369@al.imforei.apana.org.au>
next in thread | raw e-mail | index | archive | help
In article <Pine.SOL.3.91.961124205525.476D-100000@localhost> you wrote: : On Fri, 22 Nov 1996, Gary Clark II wrote: : > David Langford wrote: : > > Is there a way of keeping some users from being able to run programs : > > that bind to ports over 1024? (i.e. to keep users from running servers) : > I don't know any of doing ths except maybe : > with IP firewall. Anyone else? : A while back I wrote a hack that basically ran netstat for all listening : ports, then did a reverse ident query to find out which users where : running what on what port. There's one problem there, you only know userX : ran something on port xxxx. I realy wouldnt do this, you have to realise : there are programs at user level that bind to a port. FTP comes to mind : where the client opens up an additional port to get the data from. The call to bind ends up in the kernel. There is some code there that checks that if port < 1024 user-id must be root. You could do another check that if port is in "userland" range group-id == untrusted then fail the bind. Nasty, but effective. As noted above some client type programs would barf at this. I guess you have to decide what the user has access to the machine for. Peter -- Peter Childs --- http://www.imforei.apana.org.au/~pjchilds Finger pjchilds@al.imforei.apana.org.au for public PGP key Drag me, drop me, treat me like an object!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611251233.XAA17369>