Date: Sat, 24 Aug 2002 18:19:00 -0700 (PDT) From: Don Lewis <dl-freebsd@catspoiler.org> To: rmeijer@xs4all.nl Cc: freebsd-security@FreeBSD.ORG Subject: Re: user based firewalling with ipfw and priviledged ports. Message-ID: <200208250119.g7P1J0wr046025@gw.catspoiler.org> In-Reply-To: <20020824100341.T75248-100000@xs1.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24 Aug, Rob J Meijer wrote: > The problem is that I need to bind to a priviledged port, and in order to > do this I need to start as root and than change the (e&r) uid of the > process to the target uid. It apears that the changing of the process its > uid does not change the way that the user bit of trafic from the specific > socket is seen, both iptables and ipfw interpret the trafic as comming > from the root user. You might want to consider binding to predetermined unpriviledged port as the desired user and using natd to redirect incoming connections from the priviledged port to the unpriviledged port. The only real flaw in this scheme is that the wrong user could bind to the predetermined unpriviledged port. If each user has a separate chroot environment, you could prevent this problem by using jail() instead of chroot(), because jail() allows you to specify a separate IP address for each jail, and in this case you could allocate addresses from the loopback network 127.x.x.x. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208250119.g7P1J0wr046025>