From owner-cvs-all Fri Feb 21 5:12:23 2003 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5941437B406 for ; Fri, 21 Feb 2003 05:12:18 -0800 (PST) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FC0A43FBF for ; Fri, 21 Feb 2003 05:12:10 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (root@localhost) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Sunbay) with SMTP id h1LDC632042931 for ; Fri, 21 Feb 2003 15:12:06 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Sunbay) with ESMTP id h1LDC5HR042904 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Fri, 21 Feb 2003 15:12:05 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Submit) id h1LDC5O6042899; Fri, 21 Feb 2003 15:12:05 +0200 (EET) Date: Fri, 21 Feb 2003 15:12:05 +0200 From: "Ruslan (Mdoc Wraith) Ermilov" To: "Crist J. Clark" Cc: src-committers@freebsd.org, cvs-src@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/sys/netinet in_pcb.c Message-ID: <20030221131205.GE30966@sunbay.com> References: <200302210528.h1L5SS0H092948@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EgVrEAR5UttbsTXg" Content-Disposition: inline In-Reply-To: <200302210528.h1L5SS0H092948@repoman.freebsd.org> User-Agent: Mutt/1.5.1i Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --EgVrEAR5UttbsTXg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 20, 2003 at 09:28:28PM -0800, Crist J. Clark wrote: > cjc 2003/02/20 21:28:28 PST >=20 > Modified files: > sys/netinet in_pcb.c=20 > Log: > The ancient and outdated concept of "privileged ports" in UNIX-type > OSes has probably caused more problems than it ever solved. Allow the > user to retire the old behavior by specifying their own privileged > range with, > =20 > net.inet.ip.portrange.reservedhigh default =3D IPPORT_RESERVED - 1 > net.inet.ip.portrange.reservedlo default =3D 0 > =20 > Now you can run that webserver without ever needing root at all. Or > just imagine, an ftpd that can really drop privileges, rather than > just set the euid, and still do PORT data transfers from 20/tcp. > =20 > Two edge cases to note, > =20 > # sysctl net.inet.ip.portrange.reservedhigh=3D0 > =20 > Opens all ports to everyone, and, > =20 > # sysctl net.inet.ip.portrange.reservedhigh=3D65535 > =20 > Locks all network activity to root only (which could actually have > been achieved before with ipfw(8), but is somewhat more > complicated). > =20 > For those who stick to the old religion that 0-1023 belong to root and > root alone, don't touch the knobs (or even lock them by raising > securelevel(8)), and nothing changes. > =20 Please put this excellent description into the ip(4) manpage, where it actually belongs. Thanks, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --EgVrEAR5UttbsTXg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+ViWlUkv4P6juNwoRAluRAJ98Gb2BVUaWe1B6Cb3JPNY9PCc5hACcDqyb AV/l1EhDKG6fkOyJGLUuGD8= =Dlb2 -----END PGP SIGNATURE----- --EgVrEAR5UttbsTXg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message