From owner-freebsd-security  Mon Nov 16 13:26:52 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA14391
          for freebsd-security-outgoing; Mon, 16 Nov 1998 13:26:52 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from alive.znep.com (207-178-54-226.go2net.com [207.178.54.226])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA14383
          for <freebsd-security@FreeBSD.ORG>; Mon, 16 Nov 1998 13:26:50 -0800 (PST)
          (envelope-from marcs@znep.com)
Received: from localhost (marcs@localhost)
	by alive.znep.com (8.9.1/8.9.1) with ESMTP id NAA08661;
	Mon, 16 Nov 1998 13:22:47 -0800 (PST)
	(envelope-from marcs@znep.com)
Date: Mon, 16 Nov 1998 13:22:47 -0800 (PST)
From: Marc Slemko <marcs@znep.com>
To: Matthew Dillon <dillon@apollo.backplane.com>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: Would this make FreeBSD more secure? 
In-Reply-To: <199811161941.LAA21747@apollo.backplane.com>
Message-ID: <Pine.BSF.4.05.9811161316100.12077-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 16 Nov 1998, Matthew Dillon wrote:

> 
> 	We define several capabilities right off the bat:
> 
> 		RCAPF_LOWPORT		allow binding to low ports

No.

Again, read the archives.  All this has been gone over and over.

This makes things LESS secure in general.  

If programs have this ability, now they can't give it up.  So
suddenly all those simple programs that used to bind to the port
and setuid() can't do that any more.

Now if you compromise one program, you can compromise them all.

There are some advantages to adding this functionality and some things 
which it can help, but you need to be very careful or you end up in a 
bigger mess than you were before.

Your claim that the concept of secure ports is somewhat obsolete misses
half the equation: one use of secure ports is to authenticate a source
system.  That was always a bad idea.

The other use, however, which is still very valid, is to secure the server
against untrusted users binding to the port.  There are zillions of 
protocols where the client can't verify the server in any useful way.
Requiring special privs. to bind to the port that the server runs as
helps this out in a big way.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message