Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Feb 2003 09:50:24 -0800
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        Darren Reed <darrenr@reed.wattle.id.au>
Cc:        "Jeroen C. van Gelderen" <jeroen@vangelderen.org>, src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/netinet in_pcb.c
Message-ID:  <20030221175024.GA90209@blossom.cjclark.org>
In-Reply-To: <200302211646.DAA01570@avalon.reed.wattle.id.au>
References:  <326CFC6B-459E-11D7-9535-000393754B1C@vangelderen.org> <200302211646.DAA01570@avalon.reed.wattle.id.au>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Feb 22, 2003 at 03:46:22AM +1100, Darren Reed wrote:
> In some email I received from Jeroen C. van Gelderen, sie wrote:
> > On Friday, Feb 21, 2003, at 06:28 Europe/Amsterdam, Crist J. Clark 
> > wrote:
> > > cjc         2003/02/20 21:28:28 PST
> > >
> > >   Modified files:
> > >     sys/netinet          in_pcb.c
> > >   Log:
> > >   The ancient and outdated concept of "privileged ports" in UNIX-type
> > >   OSes has probably caused more problems than it ever solved. Allow the
> > >   user to retire the old behavior by specifying their own privileged
> > >   range with,
> > >
> > >     net.inet.ip.portrange.reservedhigh  default = IPPORT_RESERVED - 1
> > >     net.inet.ip.portrange.reservedlo    default = 0
> > 
> > Thank you, thank you, thank you!
> 
> FWIW, this feature is in line with similar settings available on
> Solaris but perhaps they're more in tune with the threat here:
> 
> # ndd /dev/tcp tcp_smallest_nonpriv_port
> 1024
> # ndd -set /dev/tcp tcp_smallest_nonpriv_port 1023
> operation failed, Invalid argument
> 
> If we assume that ports < 1024 are part of a "priviledge base" then
> the correct way to get access to them from a non-root application is
> through MAC (Robert Watson) or something like systrace.

The way the code was, the restriction of < 1024 was absolute. Now it
is possible to turn off this hardcoded lock and _then_ put some other
control mechanism (like some MAC/trusted OS tools, systrace, whatever)
on top of this.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030221175024.GA90209>