From owner-cvs-src Fri Feb 21 8:47: 1 2003 Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C79E637B412; Fri, 21 Feb 2003 08:46:59 -0800 (PST) Received: from mta05ps.bigpond.com (mta05ps.bigpond.com [144.135.25.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C42743FE0; Fri, 21 Feb 2003 08:46:57 -0800 (PST) (envelope-from darrenr@reed.wattle.id.au) Received: from CPE-61-9-164-106.vic.bigpond.net.au ([144.135.25.72]) by mta05ps.bigpond.com (Netscape Messaging Server 4.15 mta05ps Jul 16 2002 22:47:55) with SMTP id HAO3Y700.9K7; Sat, 22 Feb 2003 02:46:55 +1000 Received: from CPE-203-51-131-87.vic.bigpond.net.au ([203.51.131.87]) by PSMAM02.mailsvc.email.bigpond.com(MailRouter V3.0n 80/18662354); 22 Feb 2003 02:46:55 Received: (from root@localhost) by CPE-61-9-164-106.vic.bigpond.net.au (8.11.0/8.11.0) id h1LGkY928647; Sat, 22 Feb 2003 03:46:34 +1100 From: Darren Reed Message-Id: <200302211646.DAA01570@avalon.reed.wattle.id.au> Subject: Re: cvs commit: src/sys/netinet in_pcb.c In-Reply-To: <326CFC6B-459E-11D7-9535-000393754B1C@vangelderen.org> To: "Jeroen C. van Gelderen" Date: Sat, 22 Feb 2003 03:46:22 +1100 Cc: "Crist J. Clark" , src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL99d (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-cvs-src@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In some email I received from Jeroen C. van Gelderen, sie wrote: > On Friday, Feb 21, 2003, at 06:28 Europe/Amsterdam, Crist J. Clark > wrote: > > cjc 2003/02/20 21:28:28 PST > > > > Modified files: > > sys/netinet in_pcb.c > > Log: > > The ancient and outdated concept of "privileged ports" in UNIX-type > > OSes has probably caused more problems than it ever solved. Allow the > > user to retire the old behavior by specifying their own privileged > > range with, > > > > net.inet.ip.portrange.reservedhigh default = IPPORT_RESERVED - 1 > > net.inet.ip.portrange.reservedlo default = 0 > > Thank you, thank you, thank you! FWIW, this feature is in line with similar settings available on Solaris but perhaps they're more in tune with the threat here: # ndd /dev/tcp tcp_smallest_nonpriv_port 1024 # ndd -set /dev/tcp tcp_smallest_nonpriv_port 1023 operation failed, Invalid argument If we assume that ports < 1024 are part of a "priviledge base" then the correct way to get access to them from a non-root application is through MAC (Robert Watson) or something like systrace. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-src" in the body of the message