Where in the NetBSD kernel source are the restrictions to prevent
non-root users from binding server sockets on ports below 1024?  I wish
to write a patch to allow this!  Eventually it would be nice if future
NetBSD distributions put this in as a kernel configuration option.

In light of security holes discovered in ftp, apache, sendmail, qpopper,
etc. I would prefer run these daemons as a restricted user (like nobody)
by changing their file ownerships and setting the 'setid' bits on their
executables.  So if a hacker manages to use some type of exploit like a
buffer overflow, they can't use it to get root access.

Yes I understand that there is an established Unix understanding that
only root should be able to launch services below port 1024.  But that
tradeoff does not out weigh the security benefits by having all Internet
services running under restricted users.  (Especially on those Internet
servers which do not have non-root shell accounts!)

Currently I have change configuration files and/or re-compiled binaries
so that they listen in on ports >= 1024, and then use the 'rdr' option
in IPNAT to redirect incomming packets to those higher ports.  (For
example, IPNAT redirects tcp traffic on port 80 to port 1080, and apache
is configured to listen in on port 1080.)  This works great, but it is
really inefficient to use IPNAT just to allow services to run as non-root.
A kernel patch would be a much better way!

Thanks in advance.