Re: Deny local socket/port binding on server.
From: Michael Erskine (osiris@deltaville.net)
Date: 01/18/03
- Previous message: QuestionGuy: "Re: Deny local socket/port binding on server."
- In reply to: Tim Haynes: "Re: Deny local socket/port binding on server."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: osiris@deltaville.net (Michael Erskine) Date: 17 Jan 2003 21:05:20 -0800
Tim Haynes <usenet@stirfried.vegetable.org.uk> wrote in message news:<86of6f5rg0.fsf@potato.vegetable.org.uk>...
> Jeremiah DeWitt Weiner <jdw+ALLSPAMMERSMUSTDIE@panix.com> writes:
>
> (Pathetic unflagged attempt to refirect followups away ignored)
>
> > In comp.unix.misc QuestionGuy <screw@spam.bots> wrote:
> >> A quick question... I am using Redhat Linux 7.x and 8.x. I need to know
> >> how I can deny users on a server from binding to non-superuser ports
> >> without interfering with legitimate operations/programs they might need
> >> to use? Any solution for FreeBSD would be great as well.
> >
> > The question sounds to me like "how can I stop users from using
> > ports, except when they should be using ports"?
>
> So it does.
>
> > I don't think there is a very good answer to the question, and you should
> > really take a step back and look at what it is you're trying to achieve.
> > Unix is generally not that much of a bondage-and-discipline operating
> > system; if you trust your users so little, perhaps the answer is not to
> > let users on the system.
>
> If it's possible, it should be possible on unix. Or were you thinking of
> recommending windoze?
>
> > Perhaps the answer is to have a company policy that running any non-
> > approved software is grounds for reprimand/dismissal. In general, I'd say
> > firewall your systems.
>
> That goes without saying.
>
> > Who cares if they bind to a port?
>
> I do. I have a perfectly good installation of linux here with exactly the
> setup the op requires.
>
> > Whether someone from outside can get in is the issue.
>
> I think you'll find that more than a little short-sighted. If you know
> anything about firewalling you'll know that egress filtering is vital, if
> only to prevent internal cracked machines from harming the rest of the
> world. Adding the integrity of your box is another logical extension of
> this idea.
>
> > Some versions of Unix also let you change the boundary between root-only
> > and public ports from 1024 to whatever you like, so you could
> > theoretically make them all root-only, but I'd still tend to go with
> > firewalling. (One minute of searching didn't reveal where to set it in
> > Linux, but I'm pretty sure it's there.)
>
> You're looking for the GRSecurity patches. Specifically, the options for
> restricting certain groups from establishing client and/or server sockets:
>
> | zsh/scr, 10:38PM / # grep sock /etc/group
> | socknone:x:999
> | socknocli:x:998:gateway
> | socknosrv:x:997:apache
> |
> | CONFIG_GRKERNSEC_SOCKET_ALL_GID=998
> | CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=997
> | CONFIG_GRKERNSEC_SOCKET_SERVER_GID=996
>
> HTH,
>
> ~Tim
Tim;
When time permits, mail me more. As usual you lead.
-m-
- Next message: Luke Vogel: "Re: unautherized access to unix systems?"
- Previous message: QuestionGuy: "Re: Deny local socket/port binding on server."
- In reply to: Tim Haynes: "Re: Deny local socket/port binding on server."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
