From owner-freebsd-hackers Sun Sep 22 23:29:23 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15C2237B401 for ; Sun, 22 Sep 2002 23:29:22 -0700 (PDT) Received: from zibbi.icomtek.csir.co.za (zibbi.icomtek.csir.co.za [146.64.24.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E89543E75 for ; Sun, 22 Sep 2002 23:29:19 -0700 (PDT) (envelope-from jhay@zibbi.icomtek.csir.co.za) Received: from zibbi.icomtek.csir.co.za (localhost [IPv6:::1]) by zibbi.icomtek.csir.co.za (8.12.6/8.12.6) with ESMTP id g8N6TFD8054615 for ; Mon, 23 Sep 2002 08:29:15 +0200 (SAT) (envelope-from jhay@zibbi.icomtek.csir.co.za) Received: (from jhay@localhost) by zibbi.icomtek.csir.co.za (8.12.6/8.12.6/Submit) id g8N6TFb8054614 for freebsd-hackers@FreeBSD.ORG; Mon, 23 Sep 2002 08:29:15 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <200209230629.g8N6TFb8054614@zibbi.icomtek.csir.co.za> Subject: Re: Just a wild idea In-Reply-To: from Julian Elischer at "Sep 22, 2002 09:46:13 pm" To: freebsd-hackers@FreeBSD.ORG Date: Mon, 23 Sep 2002 08:29:15 +0200 (SAT) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > > > > > I've been playing with jails for over 2 years now. I really like > > > them but we often use them to run a process as root with reduced > > > power only to get access to TCP and UDP ports below 1024. > > > > > > For many applications however, for example lpd, named, sendmail, > > > tac_plus and others, it would be more than good enough to run that > > > program as a normal, non-root user provided there is a way to bind > > > to that single low TCP and/or UDP port that the program needs access > > > to. > > better to have a definition of what are restricted ports for each jail > than to redefine what root is.... > > (1024 numbers is only 32 words of bitmask) Sometimes I think the below 1024 check is outdated. What about a flag to switch the below 1024 check totally off? How much do we really loose? The two most common setups are probably a single user desktop and a server box doing something like mail, web or dns. On the desktop switching the below 1024 check off only gain the user (who is also root) something, he needs to su less. In a server environment, access to the box is normally controlled in anycase, so the people who have access to the box, normally also are the ones that have the root password or whatever is needed to (re)start those services. The only place where I think the check might still be usefull, is on a general shell login box. John -- John Hay -- John.Hay@icomtek.csir.co.za / jhay@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message