From owner-cvs-src  Fri Feb 21  7:18:59 2003
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8178D37B401; Fri, 21 Feb 2003 07:18:57 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 5490743F85; Fri, 21 Feb 2003 07:18:54 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.12.6/8.12.5) with SMTP id h1LFIeP4014650;
	Fri, 21 Feb 2003 10:18:40 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Fri, 21 Feb 2003 10:18:40 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Garance A Drosihn <drosih@rpi.edu>
Cc: "Crist J. Clark" <cjc@FreeBSD.org>, src-committers@FreeBSD.org,
	cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/netinet in_pcb.c (priv ports)
In-Reply-To: <p05200f0dba7b6c5f4cb2@[128.113.24.47]>
Message-ID: <Pine.NEB.3.96L.1030221101604.12840A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-src@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-src.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-src>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-src>
X-Loop: FreeBSD.ORG


On Fri, 21 Feb 2003, Garance A Drosihn wrote:

> While this can be useful, it would be nice if there was also an
> exception-mechanism, instead of just a "lo" and "high" value.  If I want
> to run a web server without needing root, then I'd like to allow port
> 80, and not an entire range of 0-80 or 80-1024. 

Well, if you want, you could combine these twiddles with a custom MAC
module that checks the arguments to bind(), connect(), etc, and has an
access control list regarding who can use which ports.  Note that ipfw
doesn't prevent you from binding the ports and therefore excluding other
use, it just prevents certain classes of packet use.  There are actually
at least two functions of the reserved port behavior -- first, the
historic "we know root must have authorized the sending of these packets",
and second, the "prevent joe user from offering official services without
appropriate privilege".  Aspects of the second part are still important,
so unless you have only trusted users on your web server machine, you
might want access controls to prevent inappropriate users from starting
web servers next time you restart your web server and the ports are
temporarily unbound. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-src" in the body of the message