Doug Barton wrote: > Oliver Fromme wrote: > > There are shell machines with lots of user accounts, none > > of which have administrative control of the system. > > Sure there are, but they make up only a tiny fraction of the systems > on the network today.
Are you sure? The majority of BSD machines in my vicinity have multiple accounts. And even if there's only one account, there is no reason to be careless with potential port-takeover risks. Therefore I advise against running critical daemons on unprivileged ports, especially on machines with shell accounts. And if you need to bind to a port >= 1024, use mac_portacl(4) to protect it. It's easy to use. Alternatively you can increase the value of the sysctl net.inet.ip.portrange.reservedhigh, but this is less flexible and might have unwanted side effects. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "C++ is the only current language making COBOL look good." -- Bertrand Meyer _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
