Re: Ports 0-1023?

[robbe () orcus priv at]

Blue Boar <BlueBoar () thievco com> writes:

> Is there any point in needing to be root in order to allocate the low ports
> on unix-like systems, anymore?

It ensures that the program that you're talking to through a low port was
started by the machine's admin, and not some random Joe Schmoe. Otherwise Joe
can provide false information (webserver), capture mails, or even passwords.

Of course, normally Joe will just get an "already in use" error when trying to
bind his trojanised ftpd to port 21, but during a short downtime (e.g. 
upgrade) it will work.

This is mainly an issue for services with weak or no security model on their
own -- spoofing ssh is hard without access to the host key(s) -- but seeing as
the net still puts much trust in those ...

> Could some sort of port ACL simply be used that says a particular UID can
> allocate a particular range of ports?

authbind
<URL:http://www.chiark.greenend.org.uk/ucgi/~ijackson/cvsweb/authbind/> is an
effort in this direction.

-- 
Robbe