[Zope] Starting Zope
Cary O'Brien
cobrien@Radix.Net
Sun, 30 Jul 2000 09:21:24 -0400 (EDT)
> Cary O'Brien wrote:
>
> > Well...
> >
> > If you are running on Linux you could simply edit the kernel code to
> > elimitate the check on being root to bind to low ports. That's what
> > we did.
>
> Which is an even worse idea.
>
Why? On a sufficiently firewalled off box, where the few logins are
completly trusted, what's the diff? If you were worried about people
cracking a user account and getting underneath telnet, than limit the
lifting of the restriction to port 80. If you are concerned that
non-root users could launch attacks from low ports at other machines,
assuming that only good guys can come from low ports is pretty naive.
The whole business about not letting anyone but root bind to low ports
makes sense for a public access machine where all the first year
engineering students have an account, but for a dedicated application
server it is kind of misdirected. You ought to be running next to
nothing but the application, and you had better trust everyone that
you give a login to, and you out to have the thing locked
down/firewalled well. So the tiny bit of possible protection may not
be worth the hassle/risks of writing your own suid-wrapper, or the
complexity of having a redirect and messing with site-access so that
the port numbers in the zope -- what it is that parameter -- base or
whatever, comes out write.
Just for fun - does NT have the same restriction?
-- cary