Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 02 Jul 1998 07:10:20 -0700
From:      David Greenman <dg@root.com>
To:        rotel@indigo.ie
Cc:        "Allen Smith" <easmith@beatrice.rutgers.edu>, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com
Subject:   Re: bsd securelevel patch question 
Message-ID:  <199807021410.HAA24585@implode.root.com>
In-Reply-To: Your message of "Thu, 02 Jul 1998 14:31:18 -0000." <199807021331.OAA00656@indigo.ie> 

next in thread | previous in thread | raw e-mail | index | archive | help
>Eh?  If ssh/smtp/inetd bind to the port you won't be able to, no
>matter how often you try.  And you won't be able to steal keys
>by hijacking sshd.
>
>I still agree with you for other reasons though, if an attacker
>creates a new service people might use it even though it isn't a
>legitimate service setup my the sysadmin.
>
>Whats wrong with a /dev/socket/tcp/XYZ acl type scheme?  If the
>process has permission to read /dev/socket/tcp/83 then they can
>bind to port 83, you could make it a procfs type filesystem so all
>the ACL information was in memory for speed.  Then you've got to
>save/restore state though.

   Well, one thing that is wrong with this is that it is slow. I sure wouldn't
want my busy WWW server doing this for every connection that is made.

-DG

David Greenman
Co-founder/Principal Architect, The FreeBSD Project

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807021410.HAA24585>