Date: Thu, 23 Jun 2005 16:23:13 +0300 From: Abu Khaled <khaled.abu@gmail.com> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: freebsd-net@freebsd.org, Darren Pilgrim <dmp@bitfreak.org>, Mrad James Deane <xtremejames183@msn.com> Subject: Re: www user than root Message-ID: <a64c109e05062306235eac9394@mail.gmail.com> In-Reply-To: <20050623131455.GZ738@obiwan.tataz.chchile.org> References: <BAY11-F12EF48C9216082BFB35A7B9CEB0@phx.gbl> <000401c577a2$c095b090$0b2a15ac@SMILEY> <20050623131455.GZ738@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/23/05, Jeremie Le Hen <jeremie@le-hen.org> wrote: > > Most daemons that bind to "priveleged" ports and run as a non-root uid, > > start as root, then change the effective UID after binding to the port. >=20 > Yes. Secure programs like Postfix (smtp), OpenSSH, vsftpd and Dovecot > (imap) use privilege separation. For instance if you need to open the > TCP port 80 lately, you could use a separate process for this purpose > only and communicate through it (through a UNIX socket). There is > obviously some performance degradation if you need to use high speed > communications, but this is a trade-off if you really need to open a > privileged port lately and you want security. >=20 > Regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > Is it a good idea to run daemons on non privileged ports as a normal user (eg. www) then have natd or a firewall redirect the traffic targetting the privileged port. For example: A web server running as user www on port 8000. IPFW, IPNAT, PF or NATD redirecting port 80 to port 8000. Is such a soloution a good idea? I read in man natd that one can redirect traffic comming on the gateway on port 80 to one or many servers running daemons on non privileged ports. --=20 Kind regards Abu Khaled
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a64c109e05062306235eac9394>