Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 25 Nov 1996 23:03:32 +1030 (CST)
From:      Peter Childs <pjchilds@imforei.apana.org.au>
To:        shadows@whitefang.com (Thamer Al-Herbish), freebsd-questions@freebsd.org
Subject:   Re: Keeping users from bind'ing to ports
Message-ID:  <199611251233.XAA17369@al.imforei.apana.org.au>

Next in thread | Raw E-Mail | Index | Archive | Help
In article <Pine.SOL.3.91.961124205525.476D-100000@localhost> you wrote:
: On Fri, 22 Nov 1996, Gary Clark II wrote:

: > David Langford wrote:
: > > Is there a way of keeping some users from being able to run programs
: > > that bind to ports over 1024? (i.e. to keep users from running servers)
: > I don't know any of doing ths except maybe
: > with IP firewall.  Anyone else?

: A while back I wrote a hack that basically ran netstat for all listening 
: ports, then did a reverse ident query to find out which users where 
: running what on what port. There's one problem there, you only know userX 
: ran something on port xxxx. I realy wouldnt do this, you have to realise 
: there are programs at user level that bind to a port. FTP comes to mind 
: where the client opens up an additional port to get the data from.

 The call to bind ends up in the kernel.  There is some code there that
 checks that if port < 1024 user-id must be root.  You could do another
 check that if port is in "userland" range  group-id == untrusted then
 fail the bind.
 
 Nasty, but effective.  As noted above some client type programs would
 barf at this.   I guess you have to decide what the user has access to
 the machine for.

 Peter

-- 
 Peter Childs  ---  http://www.imforei.apana.org.au/~pjchilds
  Finger pjchilds@al.imforei.apana.org.au for public PGP key
         Drag me, drop me, treat me like an object!



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199611251233.XAA17369>