On Mon, Sep 23, 2002 at 08:29:15AM +0200, John Hay wrote: > > better to have a definition of what are restricted ports for each jail > > than to redefine what root is.... > > > > (1024 numbers is only 32 words of bitmask) > > Sometimes I think the below 1024 check is outdated. What about a flag to > switch the below 1024 check totally off? How much do we really loose? The
I remember around 6 years ago, when I still ran Linux, that the solution to this problem came in the form of a diff which delegated bind() on a reserved port credentials to a certain GID, BIND_GID. From that point on, the boot process had to be changed such that daemons which only needed to bind to a privileged port were run under their own non-root uid, with this BIND_GID in the additional groups list, using a wrapper such as sudo. This still amounts to a local mod - it can be done, has been done before, I think Tom Ptacek did some diffs for this for vanilla 4.4BSD a good while back, rewriting it for your current tree can't be too difficult. See here: http://www.sockpuppet.org/tqbf/sysctlpriv.html BMS To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
