From owner-freebsd-hackers Tue Jan 7 19:45:19 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id TAA10379 for hackers-outgoing; Tue, 7 Jan 1997 19:45:19 -0800 (PST) Received: from cold.org (cold.org [206.81.134.103]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id TAA10374 for ; Tue, 7 Jan 1997 19:45:14 -0800 (PST) Received: from localhost (brandon@localhost) by cold.org (8.8.3/8.8.3) with SMTP id UAA26699 for ; Tue, 7 Jan 1997 20:45:17 -0700 (MST) Date: Tue, 7 Jan 1997 20:45:17 -0700 (MST) From: Brandon Gillespie To: freebsd-hackers@freebsd.org Subject: Selective Port Control (was Re: sendmail running non-root SUCCESS!) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 7 Jan 1997, Jimbo Bahooli wrote: > 6. edit /etc/sendmail.cf to bind to a port above the 1024 line. example: > > O DaemonPortOptions=Port=2025 > > 7. edit /etc/inetd.conf to redirect to port 2025 using netcat. example: I'm not sure how feasable it is, but one thing that would make securing some network services EXTREMELY easier would be to be able to dynamically configure port permissions, rather than to globally restrict them to 'root' Perhaps something like /etc/port.access which is formated as the 'port' (either an integer or service name) followed by some sort of access specifier, such as the common group.user, examples: smtp daemon.mail nntp newsman.news 480 special.group http webman.www etc.. Just a thought, but it'd not only help in securing things from running as root but it'd make it a lot easier to customize daemons privately, amoung many others. The security factor alone would seem to be a win. Off the bat I would think most services would run as other users if this were available.. -Brandon Gillespie