Subject: Re: new sysctl - privilaged ports runtime option?
To: None <tech-kern@netbsd.org>
From: Rasputin <rasputin@idoru.mine.nu>
List: tech-kern
Date: 08/08/2002 13:54:26
* Greg A. Woods <woods@weird.com> [020807 22:21]:
> [ On Wednesday, August 7, 2002 at 13:59:07 (-0500), Joe Reed wrote: ]
> > Subject: Re: new sysctl - privilaged ports runtime option?
> >
> > On Wednesday 07 August 2002 12:47, Greywolf wrote:
> > > 
> > > I didn't see the original message; what, exactly, are we aiming for here,
> > > and to what end?
> > 
> > the point is to replace the compile-time kernel option NOPRIVPORTS with a 
> > runtime one.  my reasons are explained in yesterday's post (see 
> > mail-index.netbsd.org)
> 
> I think there's enough code in user-land that makes certain assumptions
> about what privileges are required in order to bind a socket (either for
> listening or for the source port) to a port <= 1024 that such an option
> really should always only be a compile-time option, and one documented
> with grave warnings attached at that.  SSH for example makes many such
> assumptions.  I.e. you really must know exactly what you're doing before
> giving up this protection on a given machine.

Does this change win anything over using something like ipnat to
redirect inbound port 80 traffic -> 8888 , for example?

-- 
Rasputin :: Jack of All Trades - Master of Nuns