[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Got root?

Ummm.. you got it a bit backwards... UNIX does not *give* root access to
daemons below 1024... The program (not necessasarily a daemon) must HAVE
root access before it can bind to a port below 1024.

That said, you may be on to something. It sounds like a good idea to
me... but that doesn't necessarily mean anything.


Sunny Dubey wrote:
> Hi
> I know that this might sound like a stupid question, but its one that has
> been bugging me.
> Why does UNIX continue to give root access to all deamons below port 1024?
> I know that UNIX does it so that normal users can't seem like legit and
> important services, but there surely must be some better way of delegating a
> port below 1024 to a deamon.
> A while ago, I remember reading on slashdot about how TrustedBSD and OpenBSD
> were different from each other.  One of the differences was the fact that
> TrustedBSD used ACLs to give acccess to whatever for whomever.  Couldn't you
> essentially do the same for ports?  (Instead of giving access to files, you
> would give acces to ports)
> It would be like having a file called /etc/acl.ports (or something) and
> within the file, would be a list which binaries are allowed to bind to what
> ports.  (an example is provided below)
> # /etc/acl.ports
> # Port Numbers               binary
> 80      /usr/local/apache/bin/httpd
> 22          /usr/local/openssh/sshd
> 21         /usr/local/anonftpd/ftpd
> This way, not only would root have control over all ports below 1024, but the
> deamons themselves don't need to be running as root.  (I also think that it
> would be very odd for a deamon _needing_ root access to run in the first
> place ...)
> Thanks for hearing me out.  I could be very wrong on all of this.  (Sorry if
> I am)  I would just like to know why this hasn't been implemented in UNIX.
> (Actually, I did once hear about some patch to the LInux kernel that did
> something similar, but I have yet to find the patch)
> Sunny Dubey
> <insert funny-witty comment here>


Rich Puhek               
ETN Systems Inc.         

Reply to: