Todd Vierling wrote:

> 1. A process flag, cleared on exec, allowing reserved port binding.
> 
>    This would entail somehow setting this privilege flag on the struct proc
>    before revoking privileges, but the process could still bind privileged
>    ports.

This smells an awful lot like a capabilities-based system...

> 2. A socket option that creates a duplicate of a bound socket.
> 
>    This approach allows ftpd to create its data socket before revoking
>    privileges, prebound, but not connected to a remote system.  It could
>    have other useful non-security-related applications as well.
> 
>    The basic usage in userland would be, in pseudo:
> 
>      fd = socket(family, type, proto);
>      setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &1, sizeof 1);
>      bind(fd, addr_and_port);

This is an absolutely horrendous abstraction violation.  No way.