From owner-freebsd-net@FreeBSD.ORG Thu Jun 23 13:23:15 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BE6216A41F for ; Thu, 23 Jun 2005 13:23:15 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7C6243D5E for ; Thu, 23 Jun 2005 13:23:14 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so379055wra for ; Thu, 23 Jun 2005 06:23:13 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=t0l0G6Q3xpjC2lOvveQMvWt/slKRCrDB0GrAtbJwszsdhFZGI0YICu9w1wqSB1e3u4ECj+n5OfKVJgcOa04/MGTayj0Ata+PZJKl4ox/RGdz1thWeNUlZtZLI3cPmJNnNlVzxkv+asJo3EMK273RvYGezd8Q0c0MH2lj8lqiW8c= Received: by 10.54.31.70 with SMTP id e70mr1149415wre; Thu, 23 Jun 2005 06:23:13 -0700 (PDT) Received: by 10.54.66.16 with HTTP; Thu, 23 Jun 2005 06:23:13 -0700 (PDT) Message-ID: Date: Thu, 23 Jun 2005 16:23:13 +0300 From: Abu Khaled To: Jeremie Le Hen In-Reply-To: <20050623131455.GZ738@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <000401c577a2$c095b090$0b2a15ac@SMILEY> <20050623131455.GZ738@obiwan.tataz.chchile.org> Cc: freebsd-net@freebsd.org, Darren Pilgrim , Mrad James Deane Subject: Re: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Abu Khaled List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2005 13:23:15 -0000 On 6/23/05, Jeremie Le Hen wrote: > > Most daemons that bind to "priveleged" ports and run as a non-root uid, > > start as root, then change the effective UID after binding to the port. >=20 > Yes. Secure programs like Postfix (smtp), OpenSSH, vsftpd and Dovecot > (imap) use privilege separation. For instance if you need to open the > TCP port 80 lately, you could use a separate process for this purpose > only and communicate through it (through a UNIX socket). There is > obviously some performance degradation if you need to use high speed > communications, but this is a trade-off if you really need to open a > privileged port lately and you want security. >=20 > Regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > Is it a good idea to run daemons on non privileged ports as a normal user (eg. www) then have natd or a firewall redirect the traffic targetting the privileged port. For example: A web server running as user www on port 8000. IPFW, IPNAT, PF or NATD redirecting port 80 to port 8000. Is such a soloution a good idea? I read in man natd that one can redirect traffic comming on the gateway on port 80 to one or many servers running daemons on non privileged ports. --=20 Kind regards Abu Khaled