Date: Thu, 16 Aug 2001 13:22:41 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: cjclark@alum.mit.edu Cc: Maxim Sobolev <sobomax@FreeBSD.org>, David Malone <dwmalone@maths.tcd.ie>, Mikhail Teterin <mi@aldan.algebra.com>, alex@big.endian.de, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <Pine.NEB.3.96L.1010816125355.84586G-100000@fledge.watson.org> In-Reply-To: <20010816090911.A4232@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Aug 2001, Crist J. Clark wrote: > I hear this argument frequently, but it does not really hold water. > There are a lot of standard services that live above 1023, some > extremely sensitive, take NFS for example or how about nearly all other > RPC services. I have never heard of malicious local users trying to DoS > these services in such a manner. It is easy enough for an adninistrator > to fix the problem (kill the daemon watching for the port to open, kill > the listening process, lock the account of the offending user). Windows > systems have no concept of privileged ports and I have never seen this > type of exploit against a NT or 2k server. -- Crist J. Clark This is because no Windows services make use of the "privileged port" model for security purposes. But UNIX systems use them in a number of places for native services, such as r*, NFS, etc. Windows, unlike UNIX, has an established distributed system model for authentication and service management, and that is tightly integrated into the operating system. And there are probably races in their directory service model, just a there are races in our portmapper. Also, to be honest, the use of Windows servers is quite a bit different from UNIX servers. ISP's don't frequently give complete remote login and execution rights to 10,000 customer accounts. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010816125355.84586G-100000>