From owner-cvs-src@FreeBSD.ORG  Wed Aug 20 12:31:09 2008
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A48DB1065677;
	Wed, 20 Aug 2008 12:31:09 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 743B58FC0C;
	Wed, 20 Aug 2008 12:31:09 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 0641946B2C;
	Wed, 20 Aug 2008 08:31:09 -0400 (EDT)
Date: Wed, 20 Aug 2008 13:31:08 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Dag-Erling Smorgrav <des@FreeBSD.org>
In-Reply-To: <200808201040.m7KAeDxX051115@repoman.freebsd.org>
Message-ID: <alpine.BSF.1.10.0808201330110.99968@fledge.watson.org>
References: <200808201040.m7KAeDxX051115@repoman.freebsd.org>
User-Agent: Alpine 1.10 (BSF 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/crypto/openssh readconf.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2008 12:31:09 -0000

On Wed, 20 Aug 2008, Dag-Erling Smorgrav wrote:

> des         2008-08-20 10:40:07 UTC
>
>  FreeBSD src repository
>
>  Modified files:
>    crypto/openssh       readconf.c
>  Log:
>  SVN rev 181918 on 2008-08-20 10:40:07Z by des
>
>  Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED.
>  Submitted upstream, no reaction.
>
>  Submitted by:   delphij@
>  MFC after:      2 weeks

While better than what was there before, I still think that this code is 
incorrect.  SSH should be using the user credential to create and bind 
forwarding sockets, not the root credential, and should not be attempting to 
guess the kernel's policy, even if that guess is now a bit more informed. 
However, I guess that more complete and desirable fix is more complicated...

Robert N M Watson
Computer Laboratory
University of Cambridge