Re: Got root?
Ummm.. you got it a bit backwards... UNIX does not *give* root access to
daemons below 1024... The program (not necessasarily a daemon) must HAVE
root access before it can bind to a port below 1024.
That said, you may be on to something. It sounds like a good idea to
me... but that doesn't necessarily mean anything.
Sunny Dubey wrote:
> I know that this might sound like a stupid question, but its one that has
> been bugging me.
> Why does UNIX continue to give root access to all deamons below port 1024?
> I know that UNIX does it so that normal users can't seem like legit and
> important services, but there surely must be some better way of delegating a
> port below 1024 to a deamon.
> A while ago, I remember reading on slashdot about how TrustedBSD and OpenBSD
> were different from each other. One of the differences was the fact that
> TrustedBSD used ACLs to give acccess to whatever for whomever. Couldn't you
> essentially do the same for ports? (Instead of giving access to files, you
> would give acces to ports)
> It would be like having a file called /etc/acl.ports (or something) and
> within the file, would be a list which binaries are allowed to bind to what
> ports. (an example is provided below)
> # /etc/acl.ports
> # Port Numbers binary
> 80 /usr/local/apache/bin/httpd
> 22 /usr/local/openssh/sshd
> 21 /usr/local/anonftpd/ftpd
> This way, not only would root have control over all ports below 1024, but the
> deamons themselves don't need to be running as root. (I also think that it
> would be very odd for a deamon _needing_ root access to run in the first
> place ...)
> Thanks for hearing me out. I could be very wrong on all of this. (Sorry if
> I am) I would just like to know why this hasn't been implemented in UNIX.
> (Actually, I did once hear about some patch to the LInux kernel that did
> something similar, but I have yet to find the patch)
> Sunny Dubey
> <insert funny-witty comment here>
ETN Systems Inc.
- Got root?
- From: Sunny Dubey <email@example.com>