Date: Sat, 22 Feb 2003 03:46:22 +1100 From: Darren Reed <darrenr@reed.wattle.id.au> To: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> Cc: "Crist J. Clark" <cjc@FreeBSD.org>, src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet in_pcb.c Message-ID: <200302211646.DAA01570@avalon.reed.wattle.id.au> In-Reply-To: <326CFC6B-459E-11D7-9535-000393754B1C@vangelderen.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In some email I received from Jeroen C. van Gelderen, sie wrote: > On Friday, Feb 21, 2003, at 06:28 Europe/Amsterdam, Crist J. Clark > wrote: > > cjc 2003/02/20 21:28:28 PST > > > > Modified files: > > sys/netinet in_pcb.c > > Log: > > The ancient and outdated concept of "privileged ports" in UNIX-type > > OSes has probably caused more problems than it ever solved. Allow the > > user to retire the old behavior by specifying their own privileged > > range with, > > > > net.inet.ip.portrange.reservedhigh default = IPPORT_RESERVED - 1 > > net.inet.ip.portrange.reservedlo default = 0 > > Thank you, thank you, thank you! FWIW, this feature is in line with similar settings available on Solaris but perhaps they're more in tune with the threat here: # ndd /dev/tcp tcp_smallest_nonpriv_port 1024 # ndd -set /dev/tcp tcp_smallest_nonpriv_port 1023 operation failed, Invalid argument If we assume that ports < 1024 are part of a "priviledge base" then the correct way to get access to them from a non-root application is through MAC (Robert Watson) or something like systrace. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-src" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302211646.DAA01570>