From owner-cvs-all  Thu Feb 20 22:16:42 2003
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id DBEDC37B401; Thu, 20 Feb 2003 22:16:40 -0800 (PST)
Received: from dilbert.robbins.dropbear.id.au (142.b.006.mel.iprimus.net.au [210.50.45.142])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B551F43FBF; Thu, 20 Feb 2003 22:16:37 -0800 (PST)
	(envelope-from tim@robbins.dropbear.id.au)
Received: from dilbert.robbins.dropbear.id.au (lqeb3le2gftd26xd@localhost [127.0.0.1])
	by dilbert.robbins.dropbear.id.au (8.12.6/8.12.6) with ESMTP id h1L6GV2c035843;
	Fri, 21 Feb 2003 17:16:32 +1100 (EST)
	(envelope-from tim@dilbert.robbins.dropbear.id.au)
Received: (from tim@localhost)
	by dilbert.robbins.dropbear.id.au (8.12.6/8.12.6/Submit) id h1L6GUq8035842;
	Fri, 21 Feb 2003 17:16:30 +1100 (EST)
	(envelope-from tim)
Date: Fri, 21 Feb 2003 17:16:30 +1100
From: Tim Robbins <tjr@FreeBSD.org>
To: Garance A Drosihn <drosih@rpi.edu>
Cc: "Crist J. Clark" <cjc@FreeBSD.org>, src-committers@FreeBSD.org,
	cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/netinet in_pcb.c (priv ports)
Message-ID: <20030221171630.A34862@dilbert.robbins.dropbear.id.au>
References: <200302210528.h1L5SS0H092948@repoman.freebsd.org> <p05200f0dba7b6c5f4cb2@[128.113.24.47]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <p05200f0dba7b6c5f4cb2@[128.113.24.47]>; from drosih@rpi.edu on Fri, Feb 21, 2003 at 12:54:04AM -0500
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Fri, Feb 21, 2003 at 12:54:04AM -0500, Garance A Drosihn wrote:

> At 9:28 PM -0800 2/20/03, Crist J. Clark wrote:
> >cjc         2003/02/20 21:28:28 PST
> >
> >   Modified files:
> >     sys/netinet          in_pcb.c
> >   Log:
> >   The ancient and outdated concept of "privileged ports" in UNIX-type
> >   OSes has probably caused more problems than it ever solved. Allow the
> >   user to retire the old behavior by specifying their own privileged
> >   range with,
> >
> >     net.inet.ip.portrange.reservedhigh  default = IPPORT_RESERVED - 1
> >     net.inet.ip.portrange.reservedlo    default = 0
> >
> >   Now you can run that webserver without ever needing root at all. Or
> >   just imagine, an ftpd that can really drop privileges, rather than
> >   just set the euid, and still do PORT data transfers from 20/tcp.
> 
> While this can be useful, it would be nice if there was also an
> exception-mechanism, instead of just a "lo" and "high" value.
> If I want to run a web server without needing root, then I'd like
> to allow port 80, and not an entire range of 0-80 or 80-1024.
> 
> Would that be hard to implement?  Maybe even tied to a userid?

I think ipfw could do what you want, including matching on userid.


Tim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message