Date: Thu, 02 Jul 1998 07:10:20 -0700 From: David Greenman <dg@root.com> To: rotel@indigo.ie Cc: "Allen Smith" <easmith@beatrice.rutgers.edu>, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question Message-ID: <199807021410.HAA24585@implode.root.com> In-Reply-To: Your message of "Thu, 02 Jul 1998 14:31:18 -0000." <199807021331.OAA00656@indigo.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
>Eh? If ssh/smtp/inetd bind to the port you won't be able to, no >matter how often you try. And you won't be able to steal keys >by hijacking sshd. > >I still agree with you for other reasons though, if an attacker >creates a new service people might use it even though it isn't a >legitimate service setup my the sysadmin. > >Whats wrong with a /dev/socket/tcp/XYZ acl type scheme? If the >process has permission to read /dev/socket/tcp/83 then they can >bind to port 83, you could make it a procfs type filesystem so all >the ACL information was in memory for speed. Then you've got to >save/restore state though. Well, one thing that is wrong with this is that it is slow. I sure wouldn't want my busy WWW server doing this for every connection that is made. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807021410.HAA24585>