From owner-freebsd-security@FreeBSD.ORG Sat May 27 13:54:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19A4416AB45 for ; Sat, 27 May 2006 13:54:49 +0000 (UTC) (envelope-from iang@iang.org) Received: from mx1.sonance.net (mx1.sonance.net [62.116.45.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49F8A43D68 for ; Sat, 27 May 2006 13:54:38 +0000 (GMT) (envelope-from iang@iang.org) Received: from localhost (mf1 [127.0.0.1]) by mx1.sonance.net (Postfix) with ESMTP id 78F1214038 for ; Sat, 27 May 2006 15:54:37 +0200 (CEST) Received: from mx1.sonance.net ([127.0.0.1]) by localhost (mf1 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11884-03 for ; Sat, 27 May 2006 15:54:36 +0200 (CEST) Received: from postix.sonance.net (zentrix [192.168.0.223]) by mx1.sonance.net (Postfix) with ESMTP id 3D07013FEF for ; Sat, 27 May 2006 15:54:36 +0200 (CEST) Received: from localhost (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id 801DD17B51D for ; Sat, 27 May 2006 15:54:35 +0200 (CEST) Received: from postix.sonance.net ([127.0.0.1]) by localhost (zentrix [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30807-04 for ; Sat, 27 May 2006 15:54:34 +0200 (CEST) Received: from [IPv6???1] (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id E29C217B4DE for ; Sat, 27 May 2006 15:54:33 +0200 (CEST) Message-ID: <4478594C.6080309@iang.org> Date: Sat, 27 May 2006 15:51:08 +0200 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013) X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD Security List Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam Subject: On what versions of FreeBSD can we unreserve ports? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 13:55:03 -0000 On which versions of FreeBSD is it now possible to un-reserve ports? ( I've been waiting for this since forever ... have spent countless days - $$$ - trying to install workarounds, only to junk them later. I've even been paid a consulting gig to develop this, and declined to deploy it on my own servers :-/ ) iang http://askslim.blogspot.com/2006/05/freebsd-61-disabling-reserverd-ports.html Friday, May 26, 2006 FreeBSD 6.1: Disabling Reserverd Ports A common misfeature found on UN*X operating systems is the restriction that only root can bind to ports < 1024. Many a dollar has been wasted on workarounds and -often- the resulting security holes. Fortunately on FreeBSD 6.1 (and probably older versions as well) you can disable this remnant of trust-by-convention. host$ sysctl net.inet.ip.portrange.reservedhigh=0 That simple. Add it to your /etc/sysctl.conf today! posted by Slim @ 4:18 PM