Subject: Re: new sysctl - privilaged ports runtime option?
To: Joe Reed <jnr@po.cwru.edu>
From: Greg A. Woods <woods@weird.com>
List: tech-kern
Date: 08/07/2002 17:20:18
[ On Wednesday, August 7, 2002 at 13:59:07 (-0500), Joe Reed wrote: ]
> Subject: Re: new sysctl - privilaged ports runtime option?
>
> On Wednesday 07 August 2002 12:47, Greywolf wrote:
> >
> > I didn't see the original message; what, exactly, are we aiming for here,
> > and to what end?
>
> the point is to replace the compile-time kernel option NOPRIVPORTS with a
> runtime one. my reasons are explained in yesterday's post (see
> mail-index.netbsd.org)
I think there's enough code in user-land that makes certain assumptions
about what privileges are required in order to bind a socket (either for
listening or for the source port) to a port <= 1024 that such an option
really should always only be a compile-time option, and one documented
with grave warnings attached at that. SSH for example makes many such
assumptions. I.e. you really must know exactly what you're doing before
giving up this protection on a given machine.
Of course you have the source so you're free to compile your own runtime
option into your own kernels.... :-)
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>