From owner-freebsd-security  Tue Nov 17 08:53:52 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA05852
          for freebsd-security-outgoing; Tue, 17 Nov 1998 08:53:52 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA05843
          for <freebsd-security@FreeBSD.ORG>; Tue, 17 Nov 1998 08:53:47 -0800 (PST)
          (envelope-from reichert@numachi.com)
Received: (qmail 9496 invoked by uid 1001); 17 Nov 1998 16:26:40 -0000
Message-ID: <19981117112640.A9299@numachi.com>
Date: Tue, 17 Nov 1998 11:26:40 -0500
From: Brian Reichert <reichert@numachi.com>
To: freebsd-security@FreeBSD.ORG
Subject: Re: Would this make FreeBSD more secure? & sendmail changes in OpenBSD 2.4
References: <Pine.BSF.4.01.9811171958170.8181-100000@aniwa.sky> <Pine.BSF.4.05.9811162354100.26690-100000@lazlo.steam.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91i
In-Reply-To: <Pine.BSF.4.05.9811162354100.26690-100000@lazlo.steam.com>; from Cliff Skolnick on Tue, Nov 17, 1998 at 12:19:36AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Nov 17, 1998 at 12:19:36AM -0800, Cliff Skolnick wrote:
> The program would be setuid root, open a port (restricted by some access
> file like the suggested /etc/bindports), and exec the daemon.  Of course
> there would be some interface dealing with what file descriptors contained
> the socket, perhaps passed as a parameter.

I've been making heavy use of DJB's ucspi-tcp wrapper.  It's
discussed at

	ftp://koobera.math.uic.edu/www/ucspi-tcp.html

and makes his home-spun interface for CLIs to work off of the net:

	ftp://koobera.math.uic.edu/www/proto/ucspi.txt

it handles a lot of what I'm concerned about, and makes for any
easy place to put a 'limits' wrapper in...

One thing it doesn't seem to to is allow you to have N pre-forked
images, and broker conversations with them...

-- 
Brian 'you Bastard' Reichert		reichert@numachi.com
37 Crystal Ave. #303			Current daytime number: (603)-434-6842
Derry NH 03038-1713 USA			Intel architecture: the left-hand path

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message