On Tue, Sep 15, 2009 at 11:39:05AM +0100, Freminlins typed: > 2009/9/14 Chris Rees <[email protected]> > > > > > Isn't this a bit drastic? Listening sockets are opened by very many > > types of processes, as well as remembering that sendmail, BIND, and > > others don't actually run as root... I suppose it'd be possible, but > > would it actually be useful? > > > > Sure, those open listening sockets. But those are things I want to listen. > > Now suppose a user account was hacked, and "Bob" sets up a web server > listening on some random port above 1024. If "Bob" couldn't use listen() he > wouldn't be able to do that.
Haven't tried it, but you can probably set net.inet.ip.portrange.reservedhigh to 65535. That way only root can bind(2) to any port. Ruben _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
