Date: Thu, 27 Mar 1997 14:42:16 +0800 (WST) From: Adrian Chadd <adrian@obiwan.aceonline.com.au> To: Adam Shostack <adam@homeport.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Privileged ports... Message-ID: <Pine.BSF.3.95q.970327143649.1922A-100000@obiwan.aceonline.com.au> In-Reply-To: <199703261631.LAA15307@homeport.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Twould be nice, but remember inetd isn't the only place we want this applicable (eg sendmail runs as a daemon and binds to the port (25), it doesn't use inetd). Nice idea though. :) I was just thinking about saying "let uid 100 bind to port 0 (?), uid 101 bind to port 1, etc ..." upto 1024. Although its just the asme as having sysctl variable letting acertain UID have access to the priv'ed ports. However if you hack an account with THAT UID, you can access ALL ports, rather if you have seperate UIDs with access to one port each, you'd have to actually hack ALL of them (or a large number of the useful ports) to do harm. Good example - someone hacks sendmail (:).. but since it dosn't have root al lthey cand o is play with the sendmail binary, which isn't ever invoked as root anymore :) -- Adrian Chadd | UNIX, MS-DOS and Windows ... <adrian@psinet.net.au> | (also known as the Good, the bad and the | ugly..)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970327143649.1922A-100000>