Date: Wed, 6 Sep 2000 18:32:43 +0300 From: Valentin Nechayev <netch@segfault.kiev.ua> To: freebsd-arch@freebsd.org Subject: Re: thought about allocation of the first 1024th ports Message-ID: <20000906183242.B7975@netch.kiev.ua> In-Reply-To: <5FE9B713CCCDD311A03400508B8B30135878FE@bdr-xcln.is.matchlogic.com>; from crandall@matchlogic.com on Tue, Sep 05, 2000 at 03:42:18PM %2B0000 References: <5FE9B713CCCDD311A03400508B8B30135878FE@bdr-xcln.is.matchlogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tue, Sep 05, 2000 at 15:42:18, crandall wrote about "RE: thought about allocation of the first 1024th ports": > We run ipfw+natd for local port redirection on some of our web servers. That > allows us to avoid setuid root executables. > > I've found it to be a very workable solution for programmers and system > admins. It's not objection, but just comment; and nevertheless still;)) "Very workable", but on ideal. Consider, i.e., squid on port 3128, and intruder's program, which binds the same port with SO_REUSE*. At least it blocks whole port if squid falls (squid likes fall;)) (Please don't say that there should not be bad guys' shells on server.) That's why I say problem is not of large priority, but of large severity. > On most Unix systems and on FreeBSD, the first 1024th ports can't be > allocated by a > non-root process. As far as I know, this is justfied because services > running on these > ports generally require root privileges to accomplish their tasks because > they are > intended to be used by all the users on the system and need to access to > their datas. /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000906183242.B7975>