Subject: Re: new sysctl - privilaged ports runtime option?
To: None <tech-kern@netbsd.org>
From: Rasputin <rasputin@idoru.mine.nu>
List: tech-kern
Date: 08/08/2002 13:54:26
* Greg A. Woods <woods@weird.com> [020807 22:21]:
> [ On Wednesday, August 7, 2002 at 13:59:07 (-0500), Joe Reed wrote: ]
> > Subject: Re: new sysctl - privilaged ports runtime option?
> >
> > On Wednesday 07 August 2002 12:47, Greywolf wrote:
> > >
> > > I didn't see the original message; what, exactly, are we aiming for here,
> > > and to what end?
> >
> > the point is to replace the compile-time kernel option NOPRIVPORTS with a
> > runtime one. my reasons are explained in yesterday's post (see
> > mail-index.netbsd.org)
>
> I think there's enough code in user-land that makes certain assumptions
> about what privileges are required in order to bind a socket (either for
> listening or for the source port) to a port <= 1024 that such an option
> really should always only be a compile-time option, and one documented
> with grave warnings attached at that. SSH for example makes many such
> assumptions. I.e. you really must know exactly what you're doing before
> giving up this protection on a given machine.
Does this change win anything over using something like ipnat to
redirect inbound port 80 traffic -> 8888 , for example?
--
Rasputin :: Jack of All Trades - Master of Nuns