Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Feb 2003 15:12:05 +0200
From:      "Ruslan (Mdoc Wraith) Ermilov" <ru@freebsd.org>
To:        "Crist J. Clark" <cjc@freebsd.org>
Cc:        src-committers@freebsd.org, cvs-src@freebsd.org, cvs-all@freebsd.org
Subject:   Re: cvs commit: src/sys/netinet in_pcb.c
Message-ID:  <20030221131205.GE30966@sunbay.com>
In-Reply-To: <200302210528.h1L5SS0H092948@repoman.freebsd.org>
References:  <200302210528.h1L5SS0H092948@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Thu, Feb 20, 2003 at 09:28:28PM -0800, Crist J. Clark wrote:
> cjc         2003/02/20 21:28:28 PST
> 
>   Modified files:
>     sys/netinet          in_pcb.c 
>   Log:
>   The ancient and outdated concept of "privileged ports" in UNIX-type
>   OSes has probably caused more problems than it ever solved. Allow the
>   user to retire the old behavior by specifying their own privileged
>   range with,
>   
>     net.inet.ip.portrange.reservedhigh  default = IPPORT_RESERVED - 1
>     net.inet.ip.portrange.reservedlo    default = 0
>   
>   Now you can run that webserver without ever needing root at all. Or
>   just imagine, an ftpd that can really drop privileges, rather than
>   just set the euid, and still do PORT data transfers from 20/tcp.
>   
>   Two edge cases to note,
>   
>     # sysctl net.inet.ip.portrange.reservedhigh=0
>   
>   Opens all ports to everyone, and,
>   
>     # sysctl net.inet.ip.portrange.reservedhigh=65535
>   
>   Locks all network activity to root only (which could actually have
>   been achieved before with ipfw(8), but is somewhat more
>   complicated).
>   
>   For those who stick to the old religion that 0-1023 belong to root and
>   root alone, don't touch the knobs (or even lock them by raising
>   securelevel(8)), and nothing changes.
>   
Please put this excellent description into the ip(4) manpage,
where it actually belongs.


Thanks,
-- 
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+ViWlUkv4P6juNwoRAluRAJ98Gb2BVUaWe1B6Cb3JPNY9PCc5hACcDqyb
AV/l1EhDKG6fkOyJGLUuGD8=
=Dlb2
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030221131205.GE30966>