Date: Thu, 27 Mar 1997 04:43:11 +1100 (EST) From: proff@suburbia.net To: dg@root.com Cc: hackers@freebsd.org Subject: Re: Privileged ports... Message-ID: <19970326174311.13007.qmail@suburbia.net> In-Reply-To: <199703261441.GAA12899@root.com> from David Greenman at "Mar 26, 97 06:41:11 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> >The only problem here is that it kinda defeats the whole purpose of prived > >ports in the first place. I guess the whole thing here is to write small > >programs that do the necessary SUID bit, then drop back down into > >nonrootland to continue. > > > >David (and anyone else interested) - I'd be very interested in hearing > >what security holes would be introduced by having a UID (or GID) to bind > >to priv'ed ports. > > None that I can think of if I understand you correctly. The thing you > want to prevent is regular users being able to bind to a privileged port. > It would take an average cracker less than 5 minutes to whip up a couple > of really nasty programs (such as one that pretends to be rlogin - claiming > to be some other user). As long as you retain control over who/what can > bind to the privileged ports, I don't see any problem. > > David Greenman > Core-team/Principal Architect, The FreeBSD Project I already wrote code to do this, which merged the whole domain into ipfw, together with uid/gid rules for all incoming and outgoing traffic at a packet level. Trod on too many toes I think. Cheers, Julian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970326174311.13007.qmail>