Date: Tue, 22 Jun 1999 22:20:55 +0300 From: Valentin Nechayev <netch@carrier.kiev.ua> To: freebsd-security@freebsd.org Subject: Re: proposed secure-level 4 patch Message-ID: <19990622222055.J2436@lucky.net> In-Reply-To: <376D27ED.0180@funbox.demon.co.uk> <199906210518.PAA15232@cheops.anu.edu.au> <19990621142104.X63035@bitbox.follo.net> References: <376D27ED.0180@funbox.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
At Mon, 21 Jun 1999 14:21:04 +0200, eivind@freebsd.org wrote: >> How about a bit vector defining which ports can and can't be bound from >> non-root below 1024 ? >> >> a 256 byte array doesn't sound too bad does it ? EE> Why haven't I seen the magic words of 'Merge from OpenBSD' in a commit EE> related to this yet? ;-) ;) Because it is not enough... full realization must give possibility to change the plain old ;) fixed rule "0..1023 for root, other for all; no 'automatic' binding to 0..1023" to any possible variant, for example: -> Deny all except uid 65530 to bind ports 3128-3130 on bind() with specified port number. Deny all (uid 65530 also) to bind these ports implicitly (means: without explicit bind, as first free port number). One can ask "why"? Because squid can die, and I don't want situation when a bad user catches one of these ports and prevents squid from restarting. -> Allow port 25 to be bound by uid 25 (postfix or sendmail, as you wish). -> Deny implicit binding to ports 6000-6099 for any (but allow explicit binding, for any user which wants simulate Xserver). -> Deny all explicit and implicit binding for all to 31337 port, to avoid fake BO detections. And so on... I have made such implementation, but with ipfw-styled interface. If someone can describe nesessary "capabilities" interface, it shall be remade & published. -- -- Valentin Nechayev netch@lucky.net II:LDXIII/MCMLXXII.CCC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990622222055.J2436>