Re: Default DENY with ipchains
On Thu, Oct 19, 2000 at 06:40:49PM -0400, James Antill wrote:
> "Srebrenko Sehic" <haver@aub.dk> writes:
>
> > Hello
> >
> > Is is possible to prevent ordinary users from opening unprivliged ports
> > (>1024 tcp/udp)? If yes, how?
> >
> > I've tried virtually every possible way to do this, but with no luck.
>
> As far as I know you can't do it with firewall rules.
> However you could _try_ just changing PROT_SOCK in
> linux/include/net/sock.h from 1024 to 65535.
It'll work, that's the right define (I didn't check), but it's not very
smart - not the suggestion from James, the original poster's idea.
This will prevent an ordinary user from running X or telnet or ftp
or anything that uses networking at all (which even some apparently
local-only programs use). Everything using networking will have to be
run as root. Now you have to consider if any such program is secure
to run as root. Running them as an ordinary user is safer. That is,
you're probably not increasing security, but decreasing it.
Steve
--
Steve Bowman <sbowman@frostwork.net> (preferred)
Buckeye, AZ <sbowman@goodnet.com> <bowmanc@acm.org>
<http://www.goodnet.com/~sbowman/>
Powered by Debian GNU/Linux and GNU/Hurd <http://www.debian.org>
Reply to: