Re: bittorrent in core? what frontend?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, December 17, 2005 3:12 pm, Callum Lerwick said:

> Actually, when you're talking about processes on the local machine,
> firewall rules are a totally hackish way of going about this.
>
> What you want to do, is have some kind of local ACL that says what
> processes and users can bind to what ports. This would solve a whole
> mess of security problems. (Look around, a great many server daemons
> have to be started as root, for the mere fact they want to bind to ports
> <1024.) Instead of firewalling, make the kernel disallow processes from
> even binding listen ports at all in the first place.

Yes, I believe ports are given a security context as well, although I
don't know how fine grained it is or if you still have to deal with
iptables rules in addition.

Sean


> I know back when I was playing with grsecurity years ago, it had a
> feature like this. It had group-based access control, you could set up a
> certain group and say "This group can not bind listen ports" and even
> "This group can't make outgoing connections" too. Or you could turn it
> around and say "Only this group can bind to ports" etc.
>
> It had some weird side effects though. IIRC various things wanted to
> bind to loopback...

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux