On Sun, 11 Aug 2002 14:56:42 -0400 (EDT)
woods@weird.com (Greg A. Woods) wrote:

> > what you can do though is remove the restriction on the ports, then
> > use systrace to restrict them.  this gives you the ablility to have
> > sendmail, etc. running as an unpriv user, but still allowed to bind to
> > the proper port(s).
> 
> I generally _really_ like to do security related things in exactly the
> opposite way so that they "fail safely".  I.e. only release the
> restrictions on specific ports, and to only do that via a restricted
> interface.  Assuming it works then IPNAT satisfies my requirements
> exactly, whereas using NOPRIVEPORTS+systrace goes diametrically opposite
> to them.

Although replying to quite an old message, the topic was recently brought
back up and I have been reading the thread history...

Thumbs up, we should try to keep interfaces in a way that access be denied
by default, and only allowed when specific permissions have been set to do
so. Especially that the default expected behavior on unices prevents it.

Meanwhile, can't sendmail chroot(2), setgroups(2) and setuid(2) after
bind(2)? That's what my public internet servers currently do... Those
daemons should normally only be launched by the superuser anyways, for
obvious security considerations...

I however understand the need where administrators can't always patch
their favorite applications themselves, and a kernel control feature may
be useful to have.

Matt