[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Got root?


I know that this might sound like a stupid question, but its one that has 
been bugging me.

Why does UNIX continue to give root access to all deamons below port 1024?

I know that UNIX does it so that normal users can't seem like legit and 
important services, but there surely must be some better way of delegating a 
port below 1024 to a deamon.

A while ago, I remember reading on slashdot about how TrustedBSD and OpenBSD 
were different from each other.  One of the differences was the fact that 
TrustedBSD used ACLs to give acccess to whatever for whomever.  Couldn't you 
essentially do the same for ports?  (Instead of giving access to files, you 
would give acces to ports)

It would be like having a file called /etc/acl.ports (or something) and 
within the file, would be a list which binaries are allowed to bind to what 
ports.  (an example is provided below)

# /etc/acl.ports
# Port Numbers               binary
80      /usr/local/apache/bin/httpd
22          /usr/local/openssh/sshd
21         /usr/local/anonftpd/ftpd

This way, not only would root have control over all ports below 1024, but the 
deamons themselves don't need to be running as root.  (I also think that it 
would be very odd for a deamon _needing_ root access to run in the first 
place ...)

Thanks for hearing me out.  I could be very wrong on all of this.  (Sorry if 
I am)  I would just like to know why this hasn't been implemented in UNIX.  
(Actually, I did once hear about some patch to the LInux kernel that did 
something similar, but I have yet to find the patch)

Sunny Dubey
<insert funny-witty comment here>

Reply to: