From owner-cvs-all Thu Feb 20 21:28:31 2003 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B25137B401; Thu, 20 Feb 2003 21:28:29 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5886B43FD7; Thu, 20 Feb 2003 21:28:28 -0800 (PST) (envelope-from cjc@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h1L5SS0U092949; Thu, 20 Feb 2003 21:28:28 -0800 (PST) (envelope-from cjc@repoman.freebsd.org) Received: (from cjc@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h1L5SS0H092948; Thu, 20 Feb 2003 21:28:28 -0800 (PST) Message-Id: <200302210528.h1L5SS0H092948@repoman.freebsd.org> From: "Crist J. Clark" Date: Thu, 20 Feb 2003 21:28:28 -0800 (PST) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet in_pcb.c X-FreeBSD-CVS-Branch: HEAD Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG cjc 2003/02/20 21:28:28 PST Modified files: sys/netinet in_pcb.c Log: The ancient and outdated concept of "privileged ports" in UNIX-type OSes has probably caused more problems than it ever solved. Allow the user to retire the old behavior by specifying their own privileged range with, net.inet.ip.portrange.reservedhigh default = IPPORT_RESERVED - 1 net.inet.ip.portrange.reservedlo default = 0 Now you can run that webserver without ever needing root at all. Or just imagine, an ftpd that can really drop privileges, rather than just set the euid, and still do PORT data transfers from 20/tcp. Two edge cases to note, # sysctl net.inet.ip.portrange.reservedhigh=0 Opens all ports to everyone, and, # sysctl net.inet.ip.portrange.reservedhigh=65535 Locks all network activity to root only (which could actually have been achieved before with ipfw(8), but is somewhat more complicated). For those who stick to the old religion that 0-1023 belong to root and root alone, don't touch the knobs (or even lock them by raising securelevel(8)), and nothing changes. Revision Changes Path 1.120 +15 -2 src/sys/netinet/in_pcb.c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message