From owner-freebsd-stable@FreeBSD.ORG  Sun Oct 11 14:52:39 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7E16C1065692;
	Sun, 11 Oct 2009 14:52:39 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 5A8018FC1E;
	Sun, 11 Oct 2009 14:52:39 +0000 (UTC)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41])
	by cyrus.watson.org (Postfix) with ESMTPS id EC3FA46B09;
	Sun, 11 Oct 2009 10:52:38 -0400 (EDT)
Date: Sun, 11 Oct 2009 15:52:38 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: freebsd-stable@FreeBSD.ORG, dougb@FreeBSD.ORG
In-Reply-To: <200910081823.n98INRVZ082461@lurza.secnetix.de>
Message-ID: <alpine.BSF.2.00.0910111552060.48605@fledge.watson.org>
References: <200910081823.n98INRVZ082461@lurza.secnetix.de>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: 
Subject: Re: openssh concerns
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Oct 2009 14:52:39 -0000


On Thu, 8 Oct 2009, Oliver Fromme wrote:

> Are you sure?  The majority of BSD machines in my vicinity have multiple 
> accounts.
>
> And even if there's only one account, there is no reason to be careless with 
> potential port-takeover risks.
>
> Therefore I advise against running critical daemons on unprivileged ports, 
> especially on machines with shell accounts.  And if you need to bind to a 
> port >= 1024, use mac_portacl(4) to protect it.  It's easy to use. 
> Alternatively you can increase the value of the sysctl 
> net.inet.ip.portrange.reservedhigh, but this is less flexible and might have 
> unwanted side effects.

And, for those that haven't already noticed, "options MAC" is compiled into 
GENERIC on 8.0, so working with MAC policies no longer requires a recompile 
(or in many cases, even a reboot).

Robert N M Watson
Computer Laboratory
University of Cambridge