Date: Fri, 3 Jul 1998 05:53:35 -0400 From: "Allen Smith" <easmith@beatrice.rutgers.edu> To: dg@root.com, rotel@indigo.ie Cc: security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question Message-ID: <9807030553.ZM8446@beatrice.rutgers.edu> In-Reply-To: David Greenman <dg@root.com> "Re: bsd securelevel patch question" (Jul 2, 9:00am) References: <199807021600.JAA24882@implode.root.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 2, 9:00am, David Greenman (possibly) wrote: > Um, well, let's talk about FTP servers, then, since those do a privileged > bind() for every data connection that is estabilished (one per file > transfer). Good point. The various examples here are pointing out something: in most cases, and so far as I know in all of the most frequent cases, it's only necessary to be able to bind to _one_ privileged port. (By 'the most frequent cases', I'm referring to that while the FTP server has to bind to both port 20 and port 21, the latter is far more frequent than the former - the first just happens when starting up a new daemon (and is usually done by inetd in any event).) This implies that one way to speed things up would be to have as extra fields in a privilege structure (or as part of the ucred structure) the main tcp or udp port the process is permitted to bind to. In this way, one would simply check: A. does the process have the PRIV_TCP (or PRIV_UDP) privilege; B. if so, is the port in the privilege/ucred structure equal to the requested one (with a 0 meaning none has been established)? If so, allow C. if not, do whatever scanning is necessary to figure out if the port is allowable; if it is, then put that port # in the privilege/ucred structure -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9807030553.ZM8446>