From owner-cvs-src Fri Feb 21 1:19: 7 2003 Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B97D137B401; Fri, 21 Feb 2003 01:19:04 -0800 (PST) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC08543FB1; Fri, 21 Feb 2003 01:19:03 -0800 (PST) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.6/8.12.6) with ESMTP id h1L9J2ja020697; Fri, 21 Feb 2003 09:19:02 GMT (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost) by storm.FreeBSD.org.uk (8.12.6/8.12.6/Submit) with UUCP id h1L9J2oX020692; Fri, 21 Feb 2003 09:19:02 GMT X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.7/8.12.7) with ESMTP id h1L9FuPE031429; Fri, 21 Feb 2003 09:15:56 GMT (envelope-from mark@grondar.org) From: Mark Murray Message-Id: <200302210915.h1L9FuPE031429@grimreaper.grondar.org> To: "Crist J. Clark" Cc: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet in_pcb.c In-Reply-To: Your message of "Thu, 20 Feb 2003 21:28:28 PST." <200302210528.h1L5SS0H092948@repoman.freebsd.org> Date: Fri, 21 Feb 2003 09:15:56 +0000 Sender: owner-cvs-src@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG YAY!!! This is _SO_ cool! :-) M "Crist J. Clark" writes: > cjc 2003/02/20 21:28:28 PST > > Modified files: > sys/netinet in_pcb.c > Log: > The ancient and outdated concept of "privileged ports" in UNIX-type > OSes has probably caused more problems than it ever solved. Allow the > user to retire the old behavior by specifying their own privileged > range with, > > net.inet.ip.portrange.reservedhigh default = IPPORT_RESERVED - 1 > net.inet.ip.portrange.reservedlo default = 0 > > Now you can run that webserver without ever needing root at all. Or > just imagine, an ftpd that can really drop privileges, rather than > just set the euid, and still do PORT data transfers from 20/tcp. > > Two edge cases to note, > > # sysctl net.inet.ip.portrange.reservedhigh=0 > > Opens all ports to everyone, and, > > # sysctl net.inet.ip.portrange.reservedhigh=65535 > > Locks all network activity to root only (which could actually have > been achieved before with ipfw(8), but is somewhat more > complicated). > > For those who stick to the old religion that 0-1023 belong to root and > root alone, don't touch the knobs (or even lock them by raising > securelevel(8)), and nothing changes. > > Revision Changes Path > 1.120 +15 -2 src/sys/netinet/in_pcb.c -- Mark Murray iumop ap!sdn w,I idlaH To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-src" in the body of the message