Non-root user and accept() or listen()

[Freminlins]

Hi,

I am not sure if this exists (but don't think so), so I am asking.

Is there a sysctl type thing to disallow non-root users, or indeed any
specified user or group, from running a program with listen() ?

What I am looking at is improving network security, such that if a user
account is compromised it can then not be used to run a dodgy web
server/whatever on a non-privileged port. Although I can firewall off any
port I wish, it seems like an obvious thing to disallow any user from
opening a listening socket in the first place. I am suggesting something
like "sysctl user.socket_listen" with enable or disable.

Am I being really daft? Or does this exist already?


Cheers,
Frem.