Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Feb 2003 00:54:04 -0500
From:      Garance A Drosihn <drosih@rpi.edu>
To:        "Crist J. Clark" <cjc@FreeBSD.org>, src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/netinet in_pcb.c (priv ports)
Message-ID:  <p05200f0dba7b6c5f4cb2@[128.113.24.47]>
In-Reply-To: <200302210528.h1L5SS0H092948@repoman.freebsd.org>
References:  <200302210528.h1L5SS0H092948@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 9:28 PM -0800 2/20/03, Crist J. Clark wrote:
>cjc         2003/02/20 21:28:28 PST
>
>   Modified files:
>     sys/netinet          in_pcb.c
>   Log:
>   The ancient and outdated concept of "privileged ports" in UNIX-type
>   OSes has probably caused more problems than it ever solved. Allow the
>   user to retire the old behavior by specifying their own privileged
>   range with,
>
>     net.inet.ip.portrange.reservedhigh  default = IPPORT_RESERVED - 1
>     net.inet.ip.portrange.reservedlo    default = 0
>
>   Now you can run that webserver without ever needing root at all. Or
>   just imagine, an ftpd that can really drop privileges, rather than
>   just set the euid, and still do PORT data transfers from 20/tcp.

While this can be useful, it would be nice if there was also an
exception-mechanism, instead of just a "lo" and "high" value.
If I want to run a web server without needing root, then I'd like
to allow port 80, and not an entire range of 0-80 or 80-1024.

Would that be hard to implement?  Maybe even tied to a userid?
(so any process from a given user could bind to the port, but not
any process from any user).  All this change effects is whether
the bind() will succeed, right?  Maybe have the exception tied to
the existence-of and access-to some specific file?

[apologies if this was discussed somewhere and I missed it...]

-- 
Garance Alistair Drosehn            =   gad@gilead.netel.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p05200f0dba7b6c5f4cb2>