[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: bittorrent in core? what frontend?



On Sat, December 17, 2005 3:12 pm, Callum Lerwick said:

> Actually, when you're talking about processes on the local machine,
> firewall rules are a totally hackish way of going about this.
>
> What you want to do, is have some kind of local ACL that says what
> processes and users can bind to what ports. This would solve a whole
> mess of security problems. (Look around, a great many server daemons
> have to be started as root, for the mere fact they want to bind to ports
> <1024.) Instead of firewalling, make the kernel disallow processes from
> even binding listen ports at all in the first place.

Yes, I believe ports are given a security context as well, although I
don't know how fine grained it is or if you still have to deal with
iptables rules in addition.

Sean


> I know back when I was playing with grsecurity years ago, it had a
> feature like this. It had group-based access control, you could set up a
> certain group and say "This group can not bind listen ports" and even
> "This group can't make outgoing connections" too. Or you could turn it
> around and say "Only this group can bind to ports" etc.
>
> It had some weird side effects though. IIRC various things wanted to
> bind to loopback...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]