From owner-freebsd-security  Fri Jul  3 02:55:21 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA26164
          for freebsd-security-outgoing; Fri, 3 Jul 1998 02:55:21 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA26159
          for <security@FreeBSD.ORG>; Fri, 3 Jul 1998 02:55:17 -0700 (PDT)
          (envelope-from easmith@beatrice.rutgers.edu)
Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id FAA08447; Fri, 3 Jul 1998 05:53:35 -0400 (EDT)
From: "Allen Smith" <easmith@beatrice.rutgers.edu>
Message-Id: <9807030553.ZM8446@beatrice.rutgers.edu>
Date: Fri, 3 Jul 1998 05:53:35 -0400
In-Reply-To: David Greenman <dg@root.com>    "Re: bsd securelevel patch question" (Jul  2,  9:00am)
References: <199807021600.JAA24882@implode.root.com>
X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail)
To: dg@root.com, rotel@indigo.ie
Subject: Re: bsd securelevel patch question
Cc: security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org,
        tqbf@secnet.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jul 2,  9:00am, David Greenman (possibly) wrote:

>    Um, well, let's talk about FTP servers, then, since those do a privileged
> bind() for every data connection that is estabilished (one per file
> transfer).

Good point. The various examples here are pointing out something: in
most cases, and so far as I know in all of the most frequent cases,
it's only necessary to be able to bind to _one_ privileged port. (By
'the most frequent cases', I'm referring to that while the FTP server
has to bind to both port 20 and port 21, the latter is far more
frequent than the former - the first just happens when starting up a
new daemon (and is usually done by inetd in any event).) This implies
that one way to speed things up would be to have as extra fields in a
privilege structure (or as part of the ucred structure) the main tcp
or udp port the process is permitted to bind to. In this way, one
would simply check:
	A. does the process have the PRIV_TCP (or PRIV_UDP) privilege;
	B. if so, is the port in the privilege/ucred structure equal
	   to the requested one (with a 0 meaning none has been
	   established)? If so, allow
	C. if not, do whatever scanning is necessary to figure out if
	   the port is allowable; if it is, then put that port # in
	   the privilege/ucred structure

	-Allen

-- 
Allen Smith				easmith@beatrice.rutgers.edu
	

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message