On Wed, Jan 17, 2001 at 07:47:23AM +0100, Walter W. Hop wrote:
> > The exploit managed to start inetd, camped on the specified port
>
> I guess, if it doesn't exist already, that it wouldn't be so hard to
> create a small patch to the kernel, so that only processes owned by root,
> or a certain group of users (let's say "daemon"), were allowed to set up
> listeners...
I've actually been thinking along the lines of something like that.
A bit more strict access control though - bind() on AF_INET and/or AF_INET6
disabled by default, except for certain uid/sockaddr pairs. A kernel module
keeping a table of uid/sockaddr pairs, and a userland tool (bindcontrol?)
to feed it the necessary data.
Does this strike people as particularly useless? :) I can think of at
least one situation where it would be useful - shell hosting with virtual
hostnames, where people are only allowed to have stuff listen on addresses
they themselves have registered. And yes, I know about jail, and it seems
a bit too much of an overkill.
G'luck,
Peter
--
When you are not looking at it, this sentence is in Spanish.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
