Date: Fri, 28 Mar 1997 08:35:19 -0700 (MST) From: Brandon Gillespie <brandon@cold.org> To: freebsd-security@FreeBSD.ORG Subject: alternate approach (Re: Privileged ports...) Message-ID: <Pine.NEB.3.95.970328082832.9522A-100000@cold.org> In-Reply-To: <Pine.BSF.3.95.970328013334.18095F-100000@alive.znep.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I know I'm jumping into this a bit late, but a while back I suggested something similar, which I think would work as well in this situation. Its along the same lines of defining the allowed user (and possibly group) in inetd.conf, but why do it there? I would suggest doing it to another file, such as /etc/services, or something similar, and just having it be a generic port configuration file overall. This file would define who can use what ports up to 1024, and it would also open up ports beyond 1024. This would have the added benefit that admins could reconfigure it to not allow general users to bind to ANY ports, period--if they are having problems with generic users throwing up disallowed network daemons. The format could be very simple, such as: PORTSPEC user group Where portspec is simply a single port, or range of ports given as the actual port number or name, as specified in /etc/services, examples: 1-79 root system http webadm webadm 81-1024 root system Or perhaps have a directive as the first 'word' on the line, so you could expand on the functionality for different behaviour (also giving a default for different ranges, so you could have overlapping declarations, such as 1-1024 default to root:system and port 80 given to webadm). Just a thought. -Brandon Gillespie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.95.970328082832.9522A-100000>