Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 Sep 2002 08:29:15 +0200 (SAT)
From:      John Hay <jhay@icomtek.csir.co.za>
To:        freebsd-hackers@FreeBSD.ORG
Subject:   Re: Just a wild idea
Message-ID:  <200209230629.g8N6TFb8054614@zibbi.icomtek.csir.co.za>
In-Reply-To: <Pine.BSF.4.21.0209222144400.32087-100000@InterJet.elischer.org> from Julian Elischer at "Sep 22, 2002 09:46:13 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
> > > 
> > > I've been playing with jails for over 2 years now.  I really like
> > > them but we often use them to run a process as root with reduced
> > > power only to get access to TCP and UDP ports below 1024.
> > > 
> > > For many applications however, for example lpd, named, sendmail,
> > > tac_plus and others, it would be more than good enough to run that
> > > program as a normal, non-root user provided there is a way to bind
> > > to that single low TCP and/or UDP port that the program needs access
> > > to.
> 
> better to have a definition of what are restricted ports for each jail
> than to redefine what root is....
> 
> (1024 numbers is only 32 words of bitmask)

Sometimes I think the below 1024 check is outdated. What about a flag to
switch the below 1024 check totally off? How much do we really loose? The
two most common setups are probably a single user desktop and a server
box doing something like mail, web or dns. On the desktop switching the
below 1024 check off only gain the user (who is also root) something, he
needs to su less. In a server environment, access to the box is normally
controlled in anycase, so the people who have access to the box, normally
also are the ones that have the root password or whatever is needed to
(re)start those services. The only place where I think the check might
still be usefull, is on a general shell login box.

John
-- 
John Hay -- John.Hay@icomtek.csir.co.za / jhay@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209230629.g8N6TFb8054614>