www user than root
Abu Khaled
khaled.abu at gmail.com
Thu Jun 23 13:23:15 GMT 2005
On 6/23/05, Jeremie Le Hen <jeremie at le-hen.org> wrote:
> > Most daemons that bind to "priveleged" ports and run as a non-root uid,
> > start as root, then change the effective UID after binding to the port.
>
> Yes. Secure programs like Postfix (smtp), OpenSSH, vsftpd and Dovecot
> (imap) use privilege separation. For instance if you need to open the
> TCP port 80 lately, you could use a separate process for this purpose
> only and communicate through it (through a UNIX socket). There is
> obviously some performance degradation if you need to use high speed
> communications, but this is a trade-off if you really need to open a
> privileged port lately and you want security.
>
> Regards,
> --
> Jeremie Le Hen
> < jeremie at le-hen dot org >< ttz at chchile dot org >
Is it a good idea to run daemons on non privileged ports as a normal
user (eg. www) then have natd or a firewall redirect the traffic
targetting the privileged port.
For example:
A web server running as user www on port 8000.
IPFW, IPNAT, PF or NATD redirecting port 80 to port 8000.
Is such a soloution a good idea?
I read in man natd that one can redirect traffic comming on the
gateway on port 80 to one or many servers running daemons on non
privileged ports.
--
Kind regards
Abu Khaled
More information about the freebsd-net
mailing list