From owner-freebsd-security  Fri Jul  3 03:29:06 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA00934
          for freebsd-security-outgoing; Fri, 3 Jul 1998 03:29:06 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from implode.root.com (implode.root.com [198.145.90.17])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA00929
          for <security@FreeBSD.ORG>; Fri, 3 Jul 1998 03:29:03 -0700 (PDT)
          (envelope-from root@implode.root.com)
Received: from implode.root.com (localhost [127.0.0.1])
	by implode.root.com (8.8.5/8.8.5) with ESMTP id DAA06648;
	Fri, 3 Jul 1998 03:28:10 -0700 (PDT)
Message-Id: <199807031028.DAA06648@implode.root.com>
To: "Allen Smith" <easmith@beatrice.rutgers.edu>
cc: rotel@indigo.ie, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net,
        abc@ralph.ml.org, tqbf@secnet.com
Subject: Re: bsd securelevel patch question 
In-reply-to: Your message of "Fri, 03 Jul 1998 05:53:35 EDT."
             <9807030553.ZM8446@beatrice.rutgers.edu> 
From: David Greenman <dg@root.com>
Reply-To: dg@root.com
Date: Fri, 03 Jul 1998 03:28:10 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>On Jul 2,  9:00am, David Greenman (possibly) wrote:
>
>>    Um, well, let's talk about FTP servers, then, since those do a privileged
>> bind() for every data connection that is estabilished (one per file
>> transfer).
>
>Good point. The various examples here are pointing out something: in
>most cases, and so far as I know in all of the most frequent cases,
>it's only necessary to be able to bind to _one_ privileged port. (By
>'the most frequent cases', I'm referring to that while the FTP server
>has to bind to both port 20 and port 21, the latter is far more
>frequent than the former - the first just happens when starting up a
>new daemon (and is usually done by inetd in any event).) This implies
>that one way to speed things up would be to have as extra fields in a
>privilege structure (or as part of the ucred structure) the main tcp
>or udp port the process is permitted to bind to. In this way, one
>would simply check:
>	A. does the process have the PRIV_TCP (or PRIV_UDP) privilege;
>	B. if so, is the port in the privilege/ucred structure equal
>	   to the requested one (with a 0 meaning none has been
>	   established)? If so, allow
>	C. if not, do whatever scanning is necessary to figure out if
>	   the port is allowable; if it is, then put that port # in
>	   the privilege/ucred structure

   Okay, so you are saying that the PRIV_* port privileges would be honored
only for the first privileged port number that is bind()'ed [sic]?
Hmmm...sounds interesting. I like that a lot better than assigning 1024
gids to TCP, another 1024 gids to UDP, etc.

-DG

David Greenman
Co-founder/Principal Architect, The FreeBSD Project

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message