Blue Boar <BlueBoarat_private> writes: > Is there any point in needing to be root in order to allocate the low ports > on unix-like systems, anymore? It ensures that the program that you're talking to through a low port was started by the machine's admin, and not some random Joe Schmoe. Otherwise Joe can provide false information (webserver), capture mails, or even passwords. Of course, normally Joe will just get an "already in use" error when trying to bind his trojanised ftpd to port 21, but during a short downtime (e.g. upgrade) it will work. This is mainly an issue for services with weak or no security model on their own -- spoofing ssh is hard without access to the host key(s) -- but seeing as the net still puts much trust in those ... > Could some sort of port ACL simply be used that says a particular UID can > allocate a particular range of ports? authbind <URL:http://www.chiark.greenend.org.uk/ucgi/~ijackson/cvsweb/authbind/> is an effort in this direction. -- Robbe
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 11:17:42 PDT