From owner-freebsd-security@FreeBSD.ORG Sat May 27 15:24:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0D0E16BE1A for ; Sat, 27 May 2006 15:24:15 +0000 (UTC) (envelope-from vvelox@vvelox.net) Received: from mail07.powweb.com (mail07.powweb.com [66.152.97.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82D2C43D60 for ; Sat, 27 May 2006 15:24:11 +0000 (GMT) (envelope-from vvelox@vvelox.net) Received: from vixen42.vulpes (24-119-225-24.cpe.cableone.net [24.119.225.24]) by mail07.powweb.com (Postfix) with ESMTP id 999C814DA55; Sat, 27 May 2006 08:24:08 -0700 (PDT) Date: Sat, 27 May 2006 10:24:31 -0500 From: "Z.C.B." To: Ian G Message-ID: <20060527102431.0a5d4323@vixen42.vulpes> In-Reply-To: <4478594C.6080309@iang.org> References: <4478594C.6080309@iang.org> X-Mailer: Sylpheed-Claws 2.2.0 (GTK+ 2.8.17; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 29 May 2006 21:17:38 +0000 Cc: FreeBSD Security List Subject: Re: On what versions of FreeBSD can we unreserve ports? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 15:24:38 -0000 On Sat, 27 May 2006 15:51:08 +0200 Ian G wrote: > On which versions of FreeBSD is it now possible to > un-reserve ports? > > ( I've been waiting for this since forever ... have > spent countless days - $$$ - trying to install > workarounds, only to junk them later. I've even > been paid a consulting gig to develop this, and > declined to deploy it on my own servers :-/ ) > > iang > > > > http://askslim.blogspot.com/2006/05/freebsd-61-disabling-reserverd-ports.html > > Friday, May 26, 2006 > FreeBSD 6.1: Disabling Reserverd Ports > > A common misfeature found on UN*X operating systems is the > restriction that only root can bind to ports < 1024. Many a > dollar has been wasted on workarounds and -often- the > resulting security holes. > > Fortunately on FreeBSD 6.1 (and probably older versions as > well) you can disable this remnant of trust-by-convention. > > > host$ sysctl net.inet.ip.portrange.reservedhigh=0 > > That simple. Add it to your /etc/sysctl.conf today! > > posted by Slim @ 4:18 PM That works on releng_5 as well. Since when is this common for just unix? I would have to double check, but I am certain windows and nearly everything else does this as well. Just on windows users run with what would normally be root privileges. It does server a useful purpose. It prevents any user from running services on them.