Re: allowing ordinary users to open privileged ports

From: Casper Dik (casper_at_holland.sun.com)
Date: 09/06/04

  • Next message: Kapetanakis Giannis: "Re: allowing ordinary users to open privileged ports"
    To: Kapetanakis Giannis <bilias@edu.physics.uoc.gr>
    Date: Mon, 06 Sep 2004 14:02:46 +0200
    
    

    >On Sat, 4 Sep 2004, Casper Dik wrote:
    >
    >> In Solaris 9 and before it is not possible to achieve this other than
    >> by running applications as root.
    >>
    >> In Solaris 10, you can give users the net_privaddr privilege
    >> which allows them to bind to privilege ports.
    >>
    >> Of course, this means that no part of the infrastructure should
    >> depend on reserved port based "authentication".
    >>
    >> (I.e., no .rhosts file authentication; no "auth_sys" NFS, etc.)
    >>
    >> Casper
    >
    >Just one question, by giving the net_privaddr privilege you allow
    >all low ports to the specific user, or is there a way to assign a set
    >of ports only?

    It's all or nothing; I agree it would be nice to have some other
    form of access control on specific ports.

    (For those of you suggesting the use of "ndd": ndd does not allow
    you to lower the lowest reserved port number)

    Casper


  • Next message: Kapetanakis Giannis: "Re: allowing ordinary users to open privileged ports"

    Relevant Pages

    • Re: Port registered at number < 1024
      ... I am using TI-PRC libs but still ports are alloted with numbers less than 1024. ... >>Hello Casper, ...
      (comp.unix.solaris)
    • Re: Limiting server side RPC ports for firewall rules
      ... >to limit the ports used by RPC servers to a narrow range, ... and the connections can be more securely handled. ... The only way to achieve this for services which bind to ephemeral ports ... ndd /dev/udp udp_smallest_anon_port ...
      (Focus-SUN)