On 6/23/05, Jeremie Le Hen <[EMAIL PROTECTED]> wrote: > > Most daemons that bind to "priveleged" ports and run as a non-root uid, > > start as root, then change the effective UID after binding to the port. > > Yes. Secure programs like Postfix (smtp), OpenSSH, vsftpd and Dovecot > (imap) use privilege separation. For instance if you need to open the > TCP port 80 lately, you could use a separate process for this purpose > only and communicate through it (through a UNIX socket). There is > obviously some performance degradation if you need to use high speed > communications, but this is a trade-off if you really need to open a > privileged port lately and you want security. > > Regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org >
Is it a good idea to run daemons on non privileged ports as a normal user (eg. www) then have natd or a firewall redirect the traffic targetting the privileged port. For example: A web server running as user www on port 8000. IPFW, IPNAT, PF or NATD redirecting port 80 to port 8000. Is such a soloution a good idea? I read in man natd that one can redirect traffic comming on the gateway on port 80 to one or many servers running daemons on non privileged ports. -- Kind regards Abu Khaled _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
