Date: Mon, 23 Sep 2002 08:29:15 +0200 (SAT) From: John Hay <jhay@icomtek.csir.co.za> To: freebsd-hackers@FreeBSD.ORG Subject: Re: Just a wild idea Message-ID: <200209230629.g8N6TFb8054614@zibbi.icomtek.csir.co.za> In-Reply-To: <Pine.BSF.4.21.0209222144400.32087-100000@InterJet.elischer.org> from Julian Elischer at "Sep 22, 2002 09:46:13 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > > > I've been playing with jails for over 2 years now. I really like > > > them but we often use them to run a process as root with reduced > > > power only to get access to TCP and UDP ports below 1024. > > > > > > For many applications however, for example lpd, named, sendmail, > > > tac_plus and others, it would be more than good enough to run that > > > program as a normal, non-root user provided there is a way to bind > > > to that single low TCP and/or UDP port that the program needs access > > > to. > > better to have a definition of what are restricted ports for each jail > than to redefine what root is.... > > (1024 numbers is only 32 words of bitmask) Sometimes I think the below 1024 check is outdated. What about a flag to switch the below 1024 check totally off? How much do we really loose? The two most common setups are probably a single user desktop and a server box doing something like mail, web or dns. On the desktop switching the below 1024 check off only gain the user (who is also root) something, he needs to su less. In a server environment, access to the box is normally controlled in anycase, so the people who have access to the box, normally also are the ones that have the root password or whatever is needed to (re)start those services. The only place where I think the check might still be usefull, is on a general shell login box. John -- John Hay -- John.Hay@icomtek.csir.co.za / jhay@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209230629.g8N6TFb8054614>