From owner-freebsd-security  Fri Mar 28 07:35:22 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id HAA15788
          for security-outgoing; Fri, 28 Mar 1997 07:35:22 -0800 (PST)
Received: from cold.org (cold.org [206.81.134.103])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA15783
          for <freebsd-security@FreeBSD.ORG>; Fri, 28 Mar 1997 07:35:18 -0800 (PST)
Received: from localhost (brandon@localhost) by cold.org (8.8.5/8.8.3) with SMTP id IAA09543 for <freebsd-security@FreeBSD.ORG>; Fri, 28 Mar 1997 08:35:19 -0700 (MST)
Date: Fri, 28 Mar 1997 08:35:19 -0700 (MST)
From: Brandon Gillespie <brandon@cold.org>
To: freebsd-security@FreeBSD.ORG
Subject: alternate approach (Re: Privileged ports...)
In-Reply-To: <Pine.BSF.3.95.970328013334.18095F-100000@alive.znep.com>
Message-ID: <Pine.NEB.3.95.970328082832.9522A-100000@cold.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

I know I'm jumping into this a bit late, but a while back I suggested
something similar, which I think would work as well in this situation.
Its along the same lines of defining the allowed user (and possibly group)
in inetd.conf, but why do it there?  I would suggest doing it to another
file, such as /etc/services, or something similar, and just having it be a
generic port configuration file overall.  This file would define who can
use what ports up to 1024, and it would also open up ports beyond 1024.
This would have the added benefit that admins could reconfigure it to not
allow general users to bind to ANY ports, period--if they are having
problems with generic users throwing up disallowed network daemons. The
format could be very simple, such as:

PORTSPEC     user     group

Where portspec is simply a single port, or range of ports given as the
actual port number or name, as specified in /etc/services, examples:

1-79            root    system
http		webadm	webadm
81-1024         root    system

Or perhaps have a directive as the first 'word' on the line, so you could
expand on the functionality for different behaviour (also giving a default
for different ranges, so you could have overlapping declarations, such as
1-1024 default to root:system and port 80 given to webadm).

Just a thought.

-Brandon Gillespie