From owner-freebsd-questions Mon Nov 25 04:34:14 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA12302 for questions-outgoing; Mon, 25 Nov 1996 04:34:14 -0800 (PST) Received: from al.imforei.apana.org.au (pjchilds@al.imforei.apana.org.au [202.12.89.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA12288 for ; Mon, 25 Nov 1996 04:33:50 -0800 (PST) Received: (from pjchilds@localhost) by al.imforei.apana.org.au (beBop) id XAA17369; Mon, 25 Nov 1996 23:03:32 +1030 (CST) Date: Mon, 25 Nov 1996 23:03:32 +1030 (CST) From: Peter Childs Message-Id: <199611251233.XAA17369@al.imforei.apana.org.au> To: shadows@whitefang.com (Thamer Al-Herbish), freebsd-questions@freebsd.org Subject: Re: Keeping users from bind'ing to ports X-Newsreader: TIN [UNIX 1.3 unoff BETA release 961020] Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article you wrote: : On Fri, 22 Nov 1996, Gary Clark II wrote: : > David Langford wrote: : > > Is there a way of keeping some users from being able to run programs : > > that bind to ports over 1024? (i.e. to keep users from running servers) : > I don't know any of doing ths except maybe : > with IP firewall. Anyone else? : A while back I wrote a hack that basically ran netstat for all listening : ports, then did a reverse ident query to find out which users where : running what on what port. There's one problem there, you only know userX : ran something on port xxxx. I realy wouldnt do this, you have to realise : there are programs at user level that bind to a port. FTP comes to mind : where the client opens up an additional port to get the data from. The call to bind ends up in the kernel. There is some code there that checks that if port < 1024 user-id must be root. You could do another check that if port is in "userland" range group-id == untrusted then fail the bind. Nasty, but effective. As noted above some client type programs would barf at this. I guess you have to decide what the user has access to the machine for. Peter -- Peter Childs --- http://www.imforei.apana.org.au/~pjchilds Finger pjchilds@al.imforei.apana.org.au for public PGP key Drag me, drop me, treat me like an object!