Date: Fri, 21 Feb 2003 10:18:40 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: Garance A Drosihn <drosih@rpi.edu> Cc: "Crist J. Clark" <cjc@FreeBSD.org>, src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet in_pcb.c (priv ports) Message-ID: <Pine.NEB.3.96L.1030221101604.12840A-100000@fledge.watson.org> In-Reply-To: <p05200f0dba7b6c5f4cb2@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Feb 2003, Garance A Drosihn wrote: > While this can be useful, it would be nice if there was also an > exception-mechanism, instead of just a "lo" and "high" value. If I want > to run a web server without needing root, then I'd like to allow port > 80, and not an entire range of 0-80 or 80-1024. Well, if you want, you could combine these twiddles with a custom MAC module that checks the arguments to bind(), connect(), etc, and has an access control list regarding who can use which ports. Note that ipfw doesn't prevent you from binding the ports and therefore excluding other use, it just prevents certain classes of packet use. There are actually at least two functions of the reserved port behavior -- first, the historic "we know root must have authorized the sending of these packets", and second, the "prevent joe user from offering official services without appropriate privilege". Aspects of the second part are still important, so unless you have only trusted users on your web server machine, you might want access controls to prevent inappropriate users from starting web servers next time you restart your web server and the ports are temporarily unbound. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-src" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030221101604.12840A-100000>