From owner-freebsd-arch Wed Sep 6 8:32:53 2000 Delivered-To: freebsd-arch@freebsd.org Received: from segfault.kiev.ua (segfault.kiev.ua [193.193.193.4]) by hub.freebsd.org (Postfix) with ESMTP id 4817137B422 for ; Wed, 6 Sep 2000 08:32:47 -0700 (PDT) Received: (from netch@localhost) by segfault.kiev.ua (8) id SMP92660 for freebsd-arch@freebsd.org; Wed, 6 Sep 2000 18:32:44 +0300 (EEST) (envelope-from netch) Date: Wed, 6 Sep 2000 18:32:43 +0300 From: Valentin Nechayev To: freebsd-arch@freebsd.org Subject: Re: thought about allocation of the first 1024th ports Message-ID: <20000906183242.B7975@netch.kiev.ua> Reply-To: netch@segfault.kiev.ua References: <5FE9B713CCCDD311A03400508B8B30135878FE@bdr-xcln.is.matchlogic.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <5FE9B713CCCDD311A03400508B8B30135878FE@bdr-xcln.is.matchlogic.com>; from crandall@matchlogic.com on Tue, Sep 05, 2000 at 03:42:18PM +0000 X-42: On Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Tue, Sep 05, 2000 at 15:42:18, crandall wrote about "RE: thought about allocation of the first 1024th ports": > We run ipfw+natd for local port redirection on some of our web servers. That > allows us to avoid setuid root executables. > > I've found it to be a very workable solution for programmers and system > admins. It's not objection, but just comment; and nevertheless still;)) "Very workable", but on ideal. Consider, i.e., squid on port 3128, and intruder's program, which binds the same port with SO_REUSE*. At least it blocks whole port if squid falls (squid likes fall;)) (Please don't say that there should not be bad guys' shells on server.) That's why I say problem is not of large priority, but of large severity. > On most Unix systems and on FreeBSD, the first 1024th ports can't be > allocated by a > non-root process. As far as I know, this is justfied because services > running on these > ports generally require root privileges to accomplish their tasks because > they are > intended to be used by all the users on the system and need to access to > their datas. /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message