OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Controlled Network Access
From: Chris D. Faulhaber (jedgarfxp.org)
Date: Sat Feb 19 2000 - 18:15:43 CST

On Sat, 19 Feb 2000, Tom Marchand wrote:

> I would like to control which users can access tcpip utilities(ftp,telnet,
> etc) by using groups. I realize that this can be accomplished via the
> proper file permissions on each utility. This works but it will not prevent
> somebody from compiling their own ftp, telnet etc. My thought was to
> perform the authorization at the socket level. This would entail
> modifaction of the kernel to only allow root or a member of the tcpip group
> to open a socket. Does anybody know if this has been done or if it would
> even work? I originally had this requirement at work to lock down external
> vendors. Since we are an AIX shop it was quite easy. On AIX you must be a
> member of the system group to access network utilities.
>

Although not at the socket() level, you may want to look into uid/gid
filtering via ipfw.

-----
Chris D. Faulhaber - jedgarfxp.org - jedgarFreeBSD.org
--------------------------------------------------------
FreeBSD: The Power To Serve - http://www.FreeBSD.org

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message