From owner-freebsd-net@FreeBSD.ORG  Thu Jun 23 13:14:44 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3DC0616A41C
	for <freebsd-net@freebsd.org>; Thu, 23 Jun 2005 13:14:44 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from postfix3-1.free.fr (postfix3-1.free.fr [213.228.0.44])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 079D243D1D
	for <freebsd-net@freebsd.org>; Thu, 23 Jun 2005 13:14:43 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org
	(vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98])
	by postfix3-1.free.fr (Postfix) with ESMTP id 9EB501734C9;
	Thu, 23 Jun 2005 15:14:42 +0200 (CEST)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id DE0FF405B; Thu, 23 Jun 2005 15:14:55 +0200 (CEST)
Date: Thu, 23 Jun 2005 15:14:55 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Darren Pilgrim <dmp@bitfreak.org>
Message-ID: <20050623131455.GZ738@obiwan.tataz.chchile.org>
References: <BAY11-F12EF48C9216082BFB35A7B9CEB0@phx.gbl>
	<000401c577a2$c095b090$0b2a15ac@SMILEY>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <000401c577a2$c095b090$0b2a15ac@SMILEY>
User-Agent: Mutt/1.5.9i
Cc: freebsd-net@freebsd.org, 'Mrad James Deane' <xtremejames183@msn.com>
Subject: Re: www user than root
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2005 13:14:44 -0000

> Most daemons that bind to "priveleged" ports and run as a non-root uid,
> start as root, then change the effective UID after binding to the port.

Yes.  Secure programs like Postfix (smtp), OpenSSH, vsftpd and Dovecot
(imap) use privilege separation.  For instance if you need to open the
TCP port 80 lately, you could use a separate process for this purpose
only and communicate through it (through a UNIX socket).  There is
obviously some performance degradation if you need to use high speed
communications, but this is a trade-off if you really need to open a
privileged port lately and you want security.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >