Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Aug 2001 13:22:41 -0400 (EDT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        cjclark@alum.mit.edu
Cc:        Maxim Sobolev <sobomax@FreeBSD.org>, David Malone <dwmalone@maths.tcd.ie>, Mikhail Teterin <mi@aldan.algebra.com>, alex@big.endian.de, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/etc inetd.conf
Message-ID:  <Pine.NEB.3.96L.1010816125355.84586G-100000@fledge.watson.org>
In-Reply-To: <20010816090911.A4232@blossom.cjclark.org>

next in thread | previous in thread | raw e-mail | index | archive | help

On Thu, 16 Aug 2001, Crist J. Clark wrote:

> I hear this argument frequently, but it does not really hold water.
> There are a lot of standard services that live above 1023, some
> extremely sensitive, take NFS for example or how about nearly all other
> RPC services. I have never heard of malicious local users trying to DoS
> these services in such a manner. It is easy enough for an adninistrator
> to fix the problem (kill the daemon watching for the port to open, kill
> the listening process, lock the account of the offending user). Windows
> systems have no concept of privileged ports and I have never seen this
> type of exploit against a NT or 2k server.  -- Crist J. Clark

This is because no Windows services make use of the "privileged port" 
model for security purposes.  But UNIX systems use them in a number of
places for native services, such as r*, NFS, etc.  Windows, unlike UNIX,
has an established distributed system model for authentication and service
management, and that is tightly integrated into the operating system.
And there are probably races in their directory service model, just a
there are races in our portmapper.

Also, to be honest, the use of Windows servers is quite a bit different
from UNIX servers.  ISP's don't frequently give complete remote login and
execution rights to 10,000 customer accounts.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010816125355.84586G-100000>