IETF Logo Mail Archive

Re: Guidance needed on well known ports

Harald Alvestrand <harald@alvestrand.no> Mon, 20 March 2006 16:08 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FLMvm-0000Sq-TF; Mon, 20 Mar 2006 11:08:30 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FLMvk-0000SN-Q8 for ietf@ietf.org; Mon, 20 Mar 2006 11:08:28 -0500
Received: from eikenes.alvestrand.no ([158.38.152.233]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FLMvk-0007vk-GM for ietf@ietf.org; Mon, 20 Mar 2006 11:08:28 -0500
Received: from localhost (eikenes.alvestrand.no [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 4496C2596F5; Mon, 20 Mar 2006 17:06:42 +0100 (CET)
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12776-08; Mon, 20 Mar 2006 17:06:37 +0100 (CET)
Received: from [130.129.129.255] (DHCP-Wireless-129-255.ietf65.org [130.129.129.255]) by eikenes.alvestrand.no (Postfix) with ESMTP id 3D6252596F4; Mon, 20 Mar 2006 17:06:36 +0100 (CET)
Message-ID: <441ED375.50202@alvestrand.no>
Date: Mon, 20 Mar 2006 10:08:21 -0600
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: Ned Freed <ned.freed@mrochek.com>
References: <441C457D.5080900@cisco.com> <1142722547.1812.20.camel@mattugur.ifi.uio.no> <01M08N0RCFTS000078@mauve.mrochek.com> <20060320110923.GD31741@nic.fr> <441EB4BD.6000307@andybierman.com> <01M09QSI3LJ6000078@mauve.mrochek.com>
In-Reply-To: <01M09QSI3LJ6000078@mauve.mrochek.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at alvestrand.no
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a
Cc: ietf@ietf.org
Subject: Re: Guidance needed on well known ports
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org

Ned Freed wrote:
>
>> But does that student have access to the root account on servers which
>> are part of the networking infrastructure?   Who cares if Joe User
>> blows up his own config. on a PC that nobody else depends on but Joe?
>
> But if nobody has local access to these servers, why is it is 
> necessary or
> useful for servers to run with root access in order to bind to these 
> ports? 
I think the discussion has reinforced and crystallized my personal 
feeling on the subject:

- Services will have to start up listening to specific ports. Whether 
the port number is specified in an RFC, an SRV record or a config file 
on a dozen other hosts is in fact irrelevant to the fact that they have 
to start up knowing what port to listen to (unless they have write 
access to SRV).
- The "root gets to open ports < 1024" mechanism is harmful; there are 
ports < 1024 that need to be opened by non-root processes, and ports > 
1024 that need to be protected from "random programs".
- Conclusion 1: Hosts that care about separation of privileges need to 
be able to specify access rights on ports as part of their configuration 
- with "can be handed out to processes asking for a port" being one 
particular kind of access right.
- Conclusion 2: There is no reason for standards to uphold the 
distinction between <1024 and >1024 any more.

             Harald


_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email