Re: Guidance needed on well known ports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ned Freed wrote:
Stephane Bortzmeyer wrote:
> On Sun, Mar 19, 2006 at 12:42:17PM -0800,
>  Ned Freed <ned.freed@xxxxxxxxxxx> wrote
>  a message of 35 lines which said:
>
>
>> The privileged port concept has some marginal utility on multiuser
>> systems where you don't Joe-random-user to grab some port for a well
>> known service.
>>
>
> "had", not "has". The concept was invented at a time where multi-users
> machines were rare and expensive monsters. So, a request coming from
> source port 513 probably was "serious". Today, any highschool student
> is root on his PC and therefore this protection is almost useless.
>


But does that student have access to the root account on servers which
are part of the networking infrastructure?   Who cares if Joe User
blows up his own config. on a PC that nobody else depends on but Joe?


But if nobody has local access to these servers, why is it is necessary or
useful for servers to run with root access in order to bind to these ports?

This is why I referred to the utility of this feature as marginal. Its realm of utility is being squeezed on one side by the trend to run critical network services on tightly locked down systems rather than on multiuser machines, and
on the other by users who want to run their own stuff doing so on their own
machines.

I simply don't have enough insight into global usage patterns to agree totally with Staphane's asssrtion that this now has no utility at all. But I think the
trends are pretty clear.

I find the argument flawed -- that because Joe User can be root on his own PC, the concept of privileged access to shared system-critical infrastructure is
somehow obsolete.

Joe User is not running critical servers - at least not under windows.
And if he really does, he will not do it very long :)

That is what my log on echnaton says. Echnaton used to be dsl-router
and still is my (local) dns-server, my ftp server, mail-server and
ssh-server. Echnaton is automatically running a bunch of things and
sending reports.

Nothing is done as root, because I am the sysop.

ssh, ftp, dns and other nameservices (port 42) all use privileged
ports - sometimes not the ports you would guess :)


djbdns the part about daemon-tools and tcp can help you out of
the user-root crisis.


With XEON, VM, CoLinux and others you can run a couple of virtual
machines on your one real machine. Running each of your servers
on its own virtual hostdoes not cost you much cpu or memory.
But running each of your servers in its own virtual machine will
protect your real machine from getting hacked.

So we still have the privileged ports even if they are distributed
over virtual machines.

User me still has no reason to bind to a privileged port - and if
I do I am shure it is a bug.

It does not make sense removing bug protection only because
some unfamous collection of bugs cannot be fixed.

Believe me it is a dynamically changeing collection of bugs only.
It has no operating system structure built in. There is nothing
you can relibly run a server on. I tried to.

It does not make sense to bend rules breaking systems that do
work as servers. Windows is not a player in the server business.


Regards
Peter and Karin Dambier

--
Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@xxxxxxxxxxxxxxxx
mail: peter@xxxxxxxxxxxxxxxxxxxxx
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]