Date: Fri, 21 Feb 2003 15:12:05 +0200 From: "Ruslan (Mdoc Wraith) Ermilov" <ru@freebsd.org> To: "Crist J. Clark" <cjc@freebsd.org> Cc: src-committers@freebsd.org, cvs-src@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/sys/netinet in_pcb.c Message-ID: <20030221131205.GE30966@sunbay.com> In-Reply-To: <200302210528.h1L5SS0H092948@repoman.freebsd.org> References: <200302210528.h1L5SS0H092948@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--EgVrEAR5UttbsTXg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 20, 2003 at 09:28:28PM -0800, Crist J. Clark wrote: > cjc 2003/02/20 21:28:28 PST >=20 > Modified files: > sys/netinet in_pcb.c=20 > Log: > The ancient and outdated concept of "privileged ports" in UNIX-type > OSes has probably caused more problems than it ever solved. Allow the > user to retire the old behavior by specifying their own privileged > range with, > =20 > net.inet.ip.portrange.reservedhigh default =3D IPPORT_RESERVED - 1 > net.inet.ip.portrange.reservedlo default =3D 0 > =20 > Now you can run that webserver without ever needing root at all. Or > just imagine, an ftpd that can really drop privileges, rather than > just set the euid, and still do PORT data transfers from 20/tcp. > =20 > Two edge cases to note, > =20 > # sysctl net.inet.ip.portrange.reservedhigh=3D0 > =20 > Opens all ports to everyone, and, > =20 > # sysctl net.inet.ip.portrange.reservedhigh=3D65535 > =20 > Locks all network activity to root only (which could actually have > been achieved before with ipfw(8), but is somewhat more > complicated). > =20 > For those who stick to the old religion that 0-1023 belong to root and > root alone, don't touch the knobs (or even lock them by raising > securelevel(8)), and nothing changes. > =20 Please put this excellent description into the ip(4) manpage, where it actually belongs. Thanks, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --EgVrEAR5UttbsTXg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+ViWlUkv4P6juNwoRAluRAJ98Gb2BVUaWe1B6Cb3JPNY9PCc5hACcDqyb AV/l1EhDKG6fkOyJGLUuGD8= =Dlb2 -----END PGP SIGNATURE----- --EgVrEAR5UttbsTXg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030221131205.GE30966>