Date: Fri, 21 Feb 2003 09:15:56 +0000 From: Mark Murray <mark@grondar.org> To: "Crist J. Clark" <cjc@FreeBSD.org> Cc: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet in_pcb.c Message-ID: <200302210915.h1L9FuPE031429@grimreaper.grondar.org> In-Reply-To: Your message of "Thu, 20 Feb 2003 21:28:28 PST." <200302210528.h1L5SS0H092948@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
YAY!!! This is _SO_ cool! :-) M "Crist J. Clark" writes: > cjc 2003/02/20 21:28:28 PST > > Modified files: > sys/netinet in_pcb.c > Log: > The ancient and outdated concept of "privileged ports" in UNIX-type > OSes has probably caused more problems than it ever solved. Allow the > user to retire the old behavior by specifying their own privileged > range with, > > net.inet.ip.portrange.reservedhigh default = IPPORT_RESERVED - 1 > net.inet.ip.portrange.reservedlo default = 0 > > Now you can run that webserver without ever needing root at all. Or > just imagine, an ftpd that can really drop privileges, rather than > just set the euid, and still do PORT data transfers from 20/tcp. > > Two edge cases to note, > > # sysctl net.inet.ip.portrange.reservedhigh=0 > > Opens all ports to everyone, and, > > # sysctl net.inet.ip.portrange.reservedhigh=65535 > > Locks all network activity to root only (which could actually have > been achieved before with ipfw(8), but is somewhat more > complicated). > > For those who stick to the old religion that 0-1023 belong to root and > root alone, don't touch the knobs (or even lock them by raising > securelevel(8)), and nothing changes. > > Revision Changes Path > 1.120 +15 -2 src/sys/netinet/in_pcb.c -- Mark Murray iumop ap!sdn w,I idlaH To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-src" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302210915.h1L9FuPE031429>