From owner-freebsd-security Thu Mar 27 11:41:33 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA13960 for security-outgoing; Thu, 27 Mar 1997 11:41:33 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA13949 for ; Thu, 27 Mar 1997 11:41:27 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id NAA23050; Thu, 27 Mar 1997 13:41:04 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199703271941.NAA23050@enteract.com> Subject: Re: Privileged ports... To: marcs@znep.com Date: Thu, 27 Mar 1997 13:41:03 -0600 (CST) Cc: tqbf@enteract.com, freebsd-security@FreeBSD.ORG Reply-To: tqbf@enteract.com In-Reply-To: from "Marc Slemko" at Mar 27, 97 06:38:58 am X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I agree completely with you. It is a very bad thing. Start with the fact > that, by default, inetd limits services to being called 256 times a minute > and then shuts them off and then move on to more devious ways you could inetd doesn't release the socket address when it shuts the port off, so I doubt you'd be able to bind over something inetd's handling. You do have a potential problem with specific binds (over inetd's INADDR_ANY) in this configuration, though. The real problem, as I see it, is that if reserved ports are enough of a security concern for you that you'd dramatically complicate your inetd configuration to handle them, you're going to have a real security concern if inetd dies. I think it's bad to assume that an unprivileged user can't cause a daemon to die. > are set to a particular default but still allow them to be changed) that > handles setting it then add a few lines of code to the kernel to allow you > to set the uid who can bind to each priv'd port. There are 1764 other > things that it would be useful to be able to set in a similar way, Why do you want a UID per reserved port? What is this getting you? ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "If you're so special, why aren't you dead?"