From owner-cvs-all  Thu Aug 16 10:23:11 2001
Delivered-To: cvs-all@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4B47537B40B; Thu, 16 Aug 2001 10:22:55 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7GHMff86579;
	Thu, 16 Aug 2001 13:22:41 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Thu, 16 Aug 2001 13:22:41 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: cjclark@alum.mit.edu
Cc: Maxim Sobolev <sobomax@FreeBSD.org>,
	David Malone <dwmalone@maths.tcd.ie>,
	Mikhail Teterin <mi@aldan.algebra.com>, alex@big.endian.de,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/etc inetd.conf
In-Reply-To: <20010816090911.A4232@blossom.cjclark.org>
Message-ID: <Pine.NEB.3.96L.1010816125355.84586G-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On Thu, 16 Aug 2001, Crist J. Clark wrote:

> I hear this argument frequently, but it does not really hold water.
> There are a lot of standard services that live above 1023, some
> extremely sensitive, take NFS for example or how about nearly all other
> RPC services. I have never heard of malicious local users trying to DoS
> these services in such a manner. It is easy enough for an adninistrator
> to fix the problem (kill the daemon watching for the port to open, kill
> the listening process, lock the account of the offending user). Windows
> systems have no concept of privileged ports and I have never seen this
> type of exploit against a NT or 2k server.  -- Crist J. Clark

This is because no Windows services make use of the "privileged port" 
model for security purposes.  But UNIX systems use them in a number of
places for native services, such as r*, NFS, etc.  Windows, unlike UNIX,
has an established distributed system model for authentication and service
management, and that is tightly integrated into the operating system.
And there are probably races in their directory service model, just a
there are races in our portmapper.

Also, to be honest, the use of Windows servers is quite a bit different
from UNIX servers.  ISP's don't frequently give complete remote login and
execution rights to 10,000 customer accounts.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message