From owner-freebsd-security Thu Jul 2 10:31:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA01676 for freebsd-security-outgoing; Thu, 2 Jul 1998 10:31:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-55.waterford.indigo.ie [194.125.139.118]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA01653 for ; Thu, 2 Jul 1998 10:31:43 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id SAA00883; Thu, 2 Jul 1998 18:23:39 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807021723.SAA00883@indigo.ie> Date: Thu, 2 Jul 1998 18:23:39 +0000 In-Reply-To: Poul-Henning Kamp "Re: bsd securelevel patch question" (Jul 2, 7:04pm) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Poul-Henning Kamp , rotel@indigo.ie Subject: Re: bsd securelevel patch question Cc: "Allen Smith" , dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jul 2, 7:04pm, Poul-Henning Kamp wrote: } Subject: Re: bsd securelevel patch question > > > >Thats not true, if he hacks the user/group that the web server runs > >at then he only owns the web server, the only additional priviledge > >he gains is the ability to bind to port 80. > > which is worse that the standard: he cannot bind to any port < 1024. Well, this depends on how the server runs, if it binds to the port and then setuid()'s to a lower priviledge then this is true. There are clients out there that are purely setuid just so they can bind to a port < 1024 however, so it has valid uses. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message