Great Circle Associates Firewalls
(September 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Access control for SMTP?
From: Brent Chapman <brent @ GreatCircle . COM>
Date: Thu, 23 Sep 1993 09:26:14 -0700
To: smb @ research . att . com
Cc: firewalls @ GreatCircle . COM
In-reply-to: Your message of Thu, 23 Sep 93 10:02:48 EDT

smb @
 research .
 att .
 com writes:

# Root does make it worse, of course; along those lines, it's worth noting
# that ftpd doesn't -- and can't -- give up its root privileges entirely.
# It keeps them so that it can bind to port 20 for each data channel
# creation.  And yes, that code makes me extremely nervous.  A better
# interface is needed to permit safer ftpd operation while still adhering
# to that part of the protocol spec.
# 
# In fact, I've toyed with the idea of removing from our gateway machine
# the root-only restriction on creation of low-numbered ports.  That
# restriction is used to enable rsh and friends to work.  But no one
# trusts our gateway machine (as far as we know...); by changing the
# kernel, we can actually enhance the overall security of the system.

Now there's an interesting thought...  If I were doing that, I'd make
it so that clients that don't ask for a specific port number (i.e.,
they ask for a port, and any old port will do) still get a port number
>1024.  This is so that all the packet filtering rules that concern
themselves with ">1024" and "<1024" to distinguish servers from
clients will still work.


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041


Indexed By Date Previous: Re: Access control for SMTP?
From: Brent Chapman <brent @ GreatCircle . COM>
Next: Re: Access control for SMTP?
From: mjr @ TIS . COM
Indexed By Thread Previous: Re: Access control for SMTP?
From: Steve Simmons <scs @ lokkur . dexter . mi . us>
Next: Re: Access control for SMTP?
From: mjr @ TIS . COM

Google
 
Search Internet Search www.greatcircle.com