Date: Thu, 23 Jun 2005 15:14:55 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: Darren Pilgrim <dmp@bitfreak.org> Cc: freebsd-net@freebsd.org, 'Mrad James Deane' <xtremejames183@msn.com> Subject: Re: www user than root Message-ID: <20050623131455.GZ738@obiwan.tataz.chchile.org> In-Reply-To: <000401c577a2$c095b090$0b2a15ac@SMILEY> References: <BAY11-F12EF48C9216082BFB35A7B9CEB0@phx.gbl> <000401c577a2$c095b090$0b2a15ac@SMILEY>
next in thread | previous in thread | raw e-mail | index | archive | help
> Most daemons that bind to "priveleged" ports and run as a non-root uid, > start as root, then change the effective UID after binding to the port. Yes. Secure programs like Postfix (smtp), OpenSSH, vsftpd and Dovecot (imap) use privilege separation. For instance if you need to open the TCP port 80 lately, you could use a separate process for this purpose only and communicate through it (through a UNIX socket). There is obviously some performance degradation if you need to use high speed communications, but this is a trade-off if you really need to open a privileged port lately and you want security. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050623131455.GZ738>