Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Cool! But then I suppose the forked processes could then bind to a low numbered port - something they can't do now. So Apache would have to make sure to revoke that capability when forking.


You could combine it with something like this

  SocketBindDeny=any
  SocketBindAllow=tcp:80
  SocketBindAllow=tcp:443
These ports should be denied by the kernel because they're already taken by httpd, and all other will be denied by bpf filters installed by systemd.

It feels like plugging holes in a dam, but that's what you do with popular operating systems.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: