From owner-freebsd-security Wed Mar 26 06:56:22 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA13155 for security-outgoing; Wed, 26 Mar 1997 06:56:22 -0800 (PST) Received: from obiwan.aceonline.com.au (obiwan.aceonline.com.au [203.103.90.67]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA12980 for ; Wed, 26 Mar 1997 06:54:25 -0800 (PST) Received: from localhost (adrian@localhost) by obiwan.aceonline.com.au (8.8.5/8.8.5) with SMTP id WAA29309; Wed, 26 Mar 1997 22:50:30 +0800 (WST) Date: Wed, 26 Mar 1997 22:50:30 +0800 (WST) From: Adrian Chadd To: David Greenman cc: tqbf@enteract.com, adrian@deathstar.ml.org, freebsd-security@FreeBSD.ORG Subject: Re: Privileged ports... In-Reply-To: <199703261441.GAA12899@root.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 26 Mar 1997, David Greenman wrote: > None that I can think of if I understand you correctly. The thing you > want to prevent is regular users being able to bind to a privileged port. > It would take an average cracker less than 5 minutes to whip up a couple > of really nasty programs (such as one that pretends to be rlogin - claiming > to be some other user). As long as you retain control over who/what can > bind to the privileged ports, I don't see any problem. > Agreed. > >Surely there must be a nicer way :) > > It would be nice if FreeBSD had account privileges ala VMS. You could then > have fine grain control over what 'privileged' programs can do, thus limiting > the vulnerabilites. I've been thinking about this on occasion for many years > and have discussed the idea with several other people. There are a lot of > details...it's not as easy as it might seem. > Sounds interesting. It would be an interesting project to take on, I'm sure. How about assigning each port number a userid which can bind with the port alongside root? Should be easy enough to implement, and powerful enough to not need suid root binaries to bind to priv'ed ports. > -DG > > David Greenman > Core-team/Principal Architect, The FreeBSD Project > Enough from me on this, I have uni tomorrow^H^H^H^H^H^H^H^H^Hthis morning. :) *thwap* Night, -- Adrian Chadd | UNIX, MS-DOS and Windows ... | (also known as the Good, the bad and the | ugly..)