Peter Pentchev writes:
> On Wed, Jan 17, 2001 at 07:47:23AM +0100, Walter W. Hop wrote:
> > > The exploit managed to start inetd, camped on the specified port
> >
> > I guess, if it doesn't exist already, that it wouldn't be so hard to
> > create a small patch to the kernel, so that only processes owned by root,
> > or a certain group of users (let's say "daemon"), were allowed to set up
> > listeners...
>
> I've actually been thinking along the lines of something like that.
> A bit more strict access control though - bind() on AF_INET and/or AF_INET6
> disabled by default, except for certain uid/sockaddr pairs. A kernel module
> keeping a table of uid/sockaddr pairs, and a userland tool (bindcontrol?)
> to feed it the necessary data.
>
> Does this strike people as particularly useless? :) I can think of at
> least one situation where it would be useful - shell hosting with virtual
> hostnames, where people are only allowed to have stuff listen on addresses
> they themselves have registered. And yes, I know about jail, and it seems
> a bit too much of an overkill.
A kernel module developping instead of jail IS the overkill.
jail is easy configurable (after 2nd or 3th of them)
--
@BABOLO http://links.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
