Subject: Re: allowing unpriv users to bind to priv ports
To: Joe Reed <>
From: Lubomir Sedlacik <>
List: tech-kern
Date: 09/25/2002 23:17:05
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi joe,

On Wed, Sep 25, 2002 at 03:26:51PM -0400, Joe Reed wrote:
> i've been working on a utility to allow unprivilaged users to bind to
> privilaged ports on a per user/group basis.  the rules are similiar to
> ipf rules and allow for daemons to be run as unprivilaged users, but
> still bind to the proper port (without losing any restriction for any
> other user), with a specific protocol.  these rules only work for
> ports less than the reserved port.  and superuser is always allowed to
> bind, regardless of rules.
> the ports that have rules are stored in a linked list, with their
> rules in a set of lists as well (allow and deny).  i used the linked
> lists for simplicity and proof of concept.  still lookup time is
> (worst case) O(p+a) for allow and O(p+d) for deny case.  where p =3D
> number of ports that have rules, a,d=3D number of allow,deny rules
> respectively.  so if there is no rule for that user/group on that
> port, the worst possible search time is O(p+d+a).  which is not too
> horrible.

just a little note: what about /dev/ports/(tcp|tcp6|udp|udp6)/1-65535
nodes with appropriate owner/group or even permissions (e.g. x as an
"allow binding" flag)?


-- Lubomir Sedlacik <>   ASCII Ribbon campaign against  /"\=
--                  <>   e-mail in gratuitous HTML and  \ /=
--                                       Microsoft proprietary formats   X =
-- PGPkey:                                  / \=
-- Key Fingerprint: 75B2 2B96 CD75 0385 1C49  39B8 8B08 C30E 54BC 7263     =

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.7 (NetBSD)