Date: Mon, 23 Sep 2002 09:28:23 +0100 From: Bruce M Simpson <bms@spc.org> To: John Hay <jhay@icomtek.csir.co.za> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Just a wild idea Message-ID: <20020923082823.GH23343@spc.org> In-Reply-To: <200209230629.g8N6TFb8054614@zibbi.icomtek.csir.co.za> References: <Pine.BSF.4.21.0209222144400.32087-100000@InterJet.elischer.org> <200209230629.g8N6TFb8054614@zibbi.icomtek.csir.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 23, 2002 at 08:29:15AM +0200, John Hay wrote: > > better to have a definition of what are restricted ports for each jail > > than to redefine what root is.... > > > > (1024 numbers is only 32 words of bitmask) > > Sometimes I think the below 1024 check is outdated. What about a flag to > switch the below 1024 check totally off? How much do we really loose? The I remember around 6 years ago, when I still ran Linux, that the solution to this problem came in the form of a diff which delegated bind() on a reserved port credentials to a certain GID, BIND_GID. From that point on, the boot process had to be changed such that daemons which only needed to bind to a privileged port were run under their own non-root uid, with this BIND_GID in the additional groups list, using a wrapper such as sudo. This still amounts to a local mod - it can be done, has been done before, I think Tom Ptacek did some diffs for this for vanilla 4.4BSD a good while back, rewriting it for your current tree can't be too difficult. See here: http://www.sockpuppet.org/tqbf/sysctlpriv.html BMS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020923082823.GH23343>