On Thu, 8 Oct 2009, Oliver Fromme wrote:
Are you sure? The majority of BSD machines in my vicinity have multiple
accounts.
And even if there's only one account, there is no reason to be careless with
potential port-takeover risks.
Therefore I advise against running critical daemons on unprivileged ports,
especially on machines with shell accounts. And if you need to bind to a
port >= 1024, use mac_portacl(4) to protect it. It's easy to use.
Alternatively you can increase the value of the sysctl
net.inet.ip.portrange.reservedhigh, but this is less flexible and might have
unwanted side effects.
And, for those that haven't already noticed, "options MAC" is compiled into
GENERIC on 8.0, so working with MAC policies no longer requires a recompile
(or in many cases, even a reboot).
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
