From owner-freebsd-security  Wed Jun 23  1:19:30 1999
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 9112B14BDB
	for <freebsd-security@FreeBSD.ORG>; Wed, 23 Jun 1999 01:19:27 -0700 (PDT)
	(envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.1) id KAA11593;
	Wed, 23 Jun 1999 10:19:19 +0200 (CEST)
	(envelope-from des)
To: Andrew McNaughton <andrew@scoop.co.nz>
Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>,
	Michael Richards <026809r@dragon.acadiau.ca>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Allowing non root users to bind low ports
References: <199906221758.FAA07268@aniwa.sky>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 23 Jun 1999 10:19:18 +0200
In-Reply-To: Andrew McNaughton's message of "Wed, 23 Jun 1999 05:58:36 +1200"
Message-ID: <xzpu2rzjpmh.fsf@flood.ping.uio.no>
Lines: 24
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Andrew McNaughton <andrew@scoop.co.nz> writes:
> > Michael Richards <026809r@dragon.acadiau.ca> writes:
> > > I was giving this concept a little thought. If I'm not root and I can bind
> > > a low port, let's say the telnet port. I could write myself a fake telnet
> > > daemon and run it. Sooner or later, someone is going to try using it...
> > > This whole thing about non-root users binding to low ports would only be
> > > useful if there are no shell accounts on a machine IMO.
> > Well, duh. That's why we want to turn this off before going multiuser
> > (but after starting stuff like sendmail etc.)
> That approach is of limited use unless you're prepared to reboot your machine 
> every time you want to change your sendmail configuration.
> 
> Sounds too much like Windows for my liking.  Nothing short of reconfiguring 
> the kernel or a make world should require a reboot.

Gee, man, ever heard of the security/usability tradeoff? Of course you
wouldn't do that on a box unless you were sure it was already
configured properly.

Please try to understand what the discussion is about before butting in.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message