Date: Wed, 26 Mar 1997 22:50:30 +0800 (WST) From: Adrian Chadd <adrian@obiwan.aceonline.com.au> To: David Greenman <dg@root.com> Cc: tqbf@enteract.com, adrian@deathstar.ml.org, freebsd-security@FreeBSD.ORG Subject: Re: Privileged ports... Message-ID: <Pine.BSF.3.95q.970326224449.29293A-100000@obiwan.aceonline.com.au> In-Reply-To: <199703261441.GAA12899@root.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 26 Mar 1997, David Greenman wrote: > None that I can think of if I understand you correctly. The thing you > want to prevent is regular users being able to bind to a privileged port. > It would take an average cracker less than 5 minutes to whip up a couple > of really nasty programs (such as one that pretends to be rlogin - claiming > to be some other user). As long as you retain control over who/what can > bind to the privileged ports, I don't see any problem. > Agreed. > >Surely there must be a nicer way :) > > It would be nice if FreeBSD had account privileges ala VMS. You could then > have fine grain control over what 'privileged' programs can do, thus limiting > the vulnerabilites. I've been thinking about this on occasion for many years > and have discussed the idea with several other people. There are a lot of > details...it's not as easy as it might seem. > Sounds interesting. It would be an interesting project to take on, I'm sure. How about assigning each port number a userid which can bind with the port alongside root? Should be easy enough to implement, and powerful enough to not need suid root binaries to bind to priv'ed ports. > -DG > > David Greenman > Core-team/Principal Architect, The FreeBSD Project > Enough from me on this, I have uni tomorrow^H^H^H^H^H^H^H^H^Hthis morning. :) *thwap* Night, -- Adrian Chadd | UNIX, MS-DOS and Windows ... <adrian@psinet.net.au> | (also known as the Good, the bad and the | ugly..)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970326224449.29293A-100000>