From owner-cvs-src  Fri Feb 21  8:47: 1 2003
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id C79E637B412; Fri, 21 Feb 2003 08:46:59 -0800 (PST)
Received: from mta05ps.bigpond.com (mta05ps.bigpond.com [144.135.25.137])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4C42743FE0; Fri, 21 Feb 2003 08:46:57 -0800 (PST)
	(envelope-from darrenr@reed.wattle.id.au)
Received: from CPE-61-9-164-106.vic.bigpond.net.au
          ([144.135.25.72]) by mta05ps.bigpond.com (Netscape Messaging
          Server 4.15 mta05ps Jul 16 2002 22:47:55) with SMTP id
          HAO3Y700.9K7; Sat, 22 Feb 2003 02:46:55 +1000 
Received: from CPE-203-51-131-87.vic.bigpond.net.au ([203.51.131.87]) by PSMAM02.mailsvc.email.bigpond.com(MailRouter V3.0n 80/18662354); 22 Feb 2003 02:46:55
Received: (from root@localhost)
	by CPE-61-9-164-106.vic.bigpond.net.au (8.11.0/8.11.0) id h1LGkY928647;
	Sat, 22 Feb 2003 03:46:34 +1100
From: Darren Reed <darrenr@reed.wattle.id.au>
Message-Id: <200302211646.DAA01570@avalon.reed.wattle.id.au>
Subject: Re: cvs commit: src/sys/netinet in_pcb.c
In-Reply-To: <326CFC6B-459E-11D7-9535-000393754B1C@vangelderen.org>
To: "Jeroen C. van Gelderen" <jeroen@vangelderen.org>
Date: Sat, 22 Feb 2003 03:46:22 +1100
Cc: "Crist J. Clark" <cjc@FreeBSD.org>, src-committers@FreeBSD.org,
	cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
X-Mailer: ELM [version 2.4ME+ PL99d (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-cvs-src@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-src.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-src>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-src>
X-Loop: FreeBSD.ORG

In some email I received from Jeroen C. van Gelderen, sie wrote:
> On Friday, Feb 21, 2003, at 06:28 Europe/Amsterdam, Crist J. Clark 
> wrote:
> > cjc         2003/02/20 21:28:28 PST
> >
> >   Modified files:
> >     sys/netinet          in_pcb.c
> >   Log:
> >   The ancient and outdated concept of "privileged ports" in UNIX-type
> >   OSes has probably caused more problems than it ever solved. Allow the
> >   user to retire the old behavior by specifying their own privileged
> >   range with,
> >
> >     net.inet.ip.portrange.reservedhigh  default = IPPORT_RESERVED - 1
> >     net.inet.ip.portrange.reservedlo    default = 0
> 
> Thank you, thank you, thank you!

FWIW, this feature is in line with similar settings available on
Solaris but perhaps they're more in tune with the threat here:

# ndd /dev/tcp tcp_smallest_nonpriv_port
1024
# ndd -set /dev/tcp tcp_smallest_nonpriv_port 1023
operation failed, Invalid argument

If we assume that ports < 1024 are part of a "priviledge base" then
the correct way to get access to them from a non-root application is
through MAC (Robert Watson) or something like systrace.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-src" in the body of the message