> Yes it might be a good idea, but again, it depends on your security
> requirements : any user is able to bind port 8000, so if you have
> other users on the system, this may not be something to avoid.
s/not//
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
__
Hi Khaled,
> Is it a good idea to run daemons on non privileged ports as a normal
> user (eg. www) then have natd or a firewall redirect the traffic
> targetting the privileged port.
>
> For example:
>
> A web server running as user www on port 8000.
> IPFW, IPNAT, PF or NATD redirecting port 80
[...]
> You could do something like this in FreeBSD 5-STABLE by hacking the
> in_pcbbind_setup() function in src/sys/netinet/in_pcb.c to not just
> call suser_cred(), but to instead perform a group check, by calling
> groupmember(some_privileged_socket_group, cred).
mac_portacl(4)
--
Maxim Konov
On 6/23/05, Jeremie Le Hen <[EMAIL PROTECTED]> wrote:
> > Most daemons that bind to "priveleged" ports and run as a non-root uid,
> > start as root, then change the effective UID after binding to the port.
>
> Yes. Secure programs like Postfix (smtp), OpenSSH, vsftpd and Dovecot
> (imap) use priv
> Most daemons that bind to "priveleged" ports and run as a non-root uid,
> start as root, then change the effective UID after binding to the port.
Yes. Secure programs like Postfix (smtp), OpenSSH, vsftpd and Dovecot
(imap) use privilege separation. For instance if you need to open the
TCP port
From: Mrad James Deane
>
> hello i want to know how the www user with uid:80 can print
> on a priviliged port like 80 rather the root user im very
> in trouble i did not find a solution yet mac_portacl is one
> but it is very experimental please help. thanks
Most daemons that bind to "priveleged
I think that the following sysctls do the trick
[EMAIL PROTECTED] sysctl net|grep reserv
net.inet.ip.portrange.reservedhigh: 1023
net.inet.ip.portrange.reservedlow: 0
marco
According to that, one could lower the reservedhigh value to 79, or
increase the reservedlow to 81, but I don't think
On Wed, 22 Jun 2005 16:14:06 +0100
Bruce M Simpson <[EMAIL PROTECTED]> wrote:
> On Wed, Jun 22, 2005 at 05:01:17PM +0200, Mrad James Deane wrote:
> > hello i want to know how the www user with uid:80 can print on a
> > priviliged port like 80 rather the root user im very in trouble i
> > did not
On Wed, Jun 22, 2005 at 05:01:17PM +0200, Mrad James Deane wrote:
> hello i want to know how the www user with uid:80 can print on a priviliged
> port like 80 rather the root user im very in trouble i did not find a
> solution yet mac_portacl is one but it is very experimental please help.
> tha
hello i want to know how the www user with uid:80 can print on a priviliged
port like 80 rather the root user im very in trouble i did not find a
solution yet mac_portacl is one but it is very experimental please help.
thanks
_
MS
10 matches
Mail list logo
