From owner-freebsd-security  Mon Jun 21  5:59:24 1999
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 6A1D514FCA
	for <freebsd-security@FreeBSD.ORG>; Mon, 21 Jun 1999 05:58:40 -0700 (PDT)
	(envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.1) id OAA49853;
	Mon, 21 Jun 1999 14:55:04 +0200 (CEST)
	(envelope-from des)
To: Michael Richards <026809r@dragon.acadiau.ca>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Allowing non root users to bind low ports
References: <Pine.GSO.4.05.9906201243140.13617-100000@dragon>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 21 Jun 1999 14:55:04 +0200
In-Reply-To: Michael Richards's message of "Sun, 20 Jun 1999 12:45:40 -0300 (ADT)"
Message-ID: <xzpemj590if.fsf@flood.ping.uio.no>
Lines: 15
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Michael Richards <026809r@dragon.acadiau.ca> writes:
> I was giving this concept a little thought. If I'm not root and I can bind
> a low port, let's say the telnet port. I could write myself a fake telnet
> daemon and run it. Sooner or later, someone is going to try using it...
> This whole thing about non-root users binding to low ports would only be
> useful if there are no shell accounts on a machine IMO.

Well, duh. That's why we want to turn this off before going multiuser
(but after starting stuff like sendmail etc.)

Of course, a better solution would be ACLs.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message