Date: Tue, 17 Nov 1998 09:31:18 -0800 (PST) From: Marc Slemko <marcs@znep.com> To: Adam Shostack <adam@homeport.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Message-ID: <Pine.BSF.4.05.9811170927060.12077-100000@alive.znep.com> In-Reply-To: <19981117084523.A17686@weathership.homeport.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 17 Nov 1998, Adam Shostack wrote: > On Mon, Nov 16, 1998 at 01:22:47PM -0800, Marc Slemko wrote: > > | The other use, however, which is still very valid, is to secure the server > | against untrusted users binding to the port. There are zillions of > | protocols where the client can't verify the server in any useful way. > | Requiring special privs. to bind to the port that the server runs as > | helps this out in a big way. > > For this to be true, it requires that NT (which doesn't have a > concept of privleged ports) to be removed from all server locations on > the internet. While I'll agree that this is a useful security > measure, its not particularly realistic, and we should consider giving > up on this assumption. Nonsense! You are missing the entire point. Say, for example, you have a MX record pointing to a server that does have privileged ports. That means that, even if the mail server does crash or stop listening on the port, any old user can't just bind to the port and steal mail. Therefore, provileged ports are useful. It doesn't matter if there is an NT machine sitting beside it on the same network. If you point your MX record at it and let any users use it, then you deserve what you get. Again, as I said in my original message, there are two main classes of uses for privileged ports. Just because not all machines have them doesn't make this use less valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9811170927060.12077-100000>