Re: Deny local socket/port binding on server.
From: Tim Haynes (usenet@stirfried.vegetable.org.uk)
Date: 01/17/03
- Next message: Lord Slobber: "Re: unautherized access to unix systems?"
- Previous message: Jeremiah DeWitt Weiner: "Re: Deny local socket/port binding on server."
- In reply to: Jeremiah DeWitt Weiner: "Re: Deny local socket/port binding on server."
- Next in thread: QuestionGuy: "Re: Deny local socket/port binding on server."
- Reply: QuestionGuy: "Re: Deny local socket/port binding on server."
- Reply: Michael Erskine: "Re: Deny local socket/port binding on server."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Tim Haynes <usenet@stirfried.vegetable.org.uk> Date: Fri, 17 Jan 2003 22:42:23 +0000
Jeremiah DeWitt Weiner <jdw+ALLSPAMMERSMUSTDIE@panix.com> writes:
(Pathetic unflagged attempt to refirect followups away ignored)
> In comp.unix.misc QuestionGuy <screw@spam.bots> wrote:
>> A quick question... I am using Redhat Linux 7.x and 8.x. I need to know
>> how I can deny users on a server from binding to non-superuser ports
>> without interfering with legitimate operations/programs they might need
>> to use? Any solution for FreeBSD would be great as well.
>
> The question sounds to me like "how can I stop users from using
> ports, except when they should be using ports"?
So it does.
> I don't think there is a very good answer to the question, and you should
> really take a step back and look at what it is you're trying to achieve.
> Unix is generally not that much of a bondage-and-discipline operating
> system; if you trust your users so little, perhaps the answer is not to
> let users on the system.
If it's possible, it should be possible on unix. Or were you thinking of
recommending windoze?
> Perhaps the answer is to have a company policy that running any non-
> approved software is grounds for reprimand/dismissal. In general, I'd say
> firewall your systems.
That goes without saying.
> Who cares if they bind to a port?
I do. I have a perfectly good installation of linux here with exactly the
setup the op requires.
> Whether someone from outside can get in is the issue.
I think you'll find that more than a little short-sighted. If you know
anything about firewalling you'll know that egress filtering is vital, if
only to prevent internal cracked machines from harming the rest of the
world. Adding the integrity of your box is another logical extension of
this idea.
> Some versions of Unix also let you change the boundary between root-only
> and public ports from 1024 to whatever you like, so you could
> theoretically make them all root-only, but I'd still tend to go with
> firewalling. (One minute of searching didn't reveal where to set it in
> Linux, but I'm pretty sure it's there.)
You're looking for the GRSecurity patches. Specifically, the options for
restricting certain groups from establishing client and/or server sockets:
| zsh/scr, 10:38PM / # grep sock /etc/group
| socknone:x:999
| socknocli:x:998:gateway
| socknosrv:x:997:apache
|
| CONFIG_GRKERNSEC_SOCKET_ALL_GID=998
| CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=997
| CONFIG_GRKERNSEC_SOCKET_SERVER_GID=996
HTH,
~Tim
-- zsh % perl -ce 'more or less' |piglet@stirfried.vegetable.org.uk -e syntax OK |http://spodzone.org.uk/
- Next message: Lord Slobber: "Re: unautherized access to unix systems?"
- Previous message: Jeremiah DeWitt Weiner: "Re: Deny local socket/port binding on server."
- In reply to: Jeremiah DeWitt Weiner: "Re: Deny local socket/port binding on server."
- Next in thread: QuestionGuy: "Re: Deny local socket/port binding on server."
- Reply: QuestionGuy: "Re: Deny local socket/port binding on server."
- Reply: Michael Erskine: "Re: Deny local socket/port binding on server."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
