Date: Sun, 05 Jul 1998 14:17:47 -0700 From: David Greenman <dg@root.com> To: rotel@indigo.ie Cc: "Allen Smith" <easmith@beatrice.rutgers.edu>, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question Message-ID: <199807052117.OAA20990@implode.root.com> In-Reply-To: Your message of "Sun, 05 Jul 1998 22:03:05 -0000." <199807052103.WAA04673@indigo.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
>On Jul 2, 9:00am, David Greenman wrote: >} Subject: Re: bsd securelevel patch question >> >On Jul 2, 7:10am, David Greenman wrote: >> >> >> >> Well, one thing that is wrong with this is that it is slow. I sure wouldn't >> >> want my busy WWW server doing this for every connection that is made. >> > >> >It would only be necessary to do this for binds to ports < 1024. So it >> >would just be checked every time a daemon started. >> >> Um, well, let's talk about FTP servers, then, since those do a privileged >> bind() for every data connection that is estabilished (one per file transfer). > >This can be solved by using passive mode on the FTP server side, which is >a good idea for security conscious sites anyhow. Passive FTP is initiated by the client and is not something that the server can enforce. Further, it does nothing to enhance security for the server - if anything, it actually reduces the security since you'd have to poke holes through any firewall to allow the client data connects. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807052117.OAA20990>