>From [EMAIL PROTECTED] Thu Jan 24 21:44:35 2002
>> I cannot change UNIX rules.....
>>
>> If you like to create a socket connection with a port number < 1024 you
>> need to be root. If you like to understand what you need to do, just read
>> the man page for cdrecord and for rscsi. Thay do list the actions to allow
>> a suid root installation.
>I don't see any UNIX rules which require your application to run on a
>restricted port. You have chosen to do so, but that's not a requirement.
>I think it's safe to say that many sites now have rules about programs
>which have root access (which is why INN has a tiny program easily read
>to open the port, give up root, and then start innd).
It _is_ required. The only other way of doing it would be the way GNUtar
does it and if you ever tried gnutar vs. star to do remote tape access,
you know that gnutar is boringly slow.
As it does no make sense to implement a separate base protocol for something
like rmt or rscsi, so of course both use rcmd()
shell 514/tcp cmd # no passwords used
Viola, this _is_ < 1024.
>That's just a general comment, setting up a safe (chroot) environment is
>non-trivial, running ANY setuid root code is either unsafe or requires a
>level of trust in both the intent and execution of the code. If sendmail
>and ssh can be hacked to take advantage of root access, I think any such
>code should be considered for a "is there another way?" design review.
I learned a few weeks ago that it is _impossible_ to capture a program in
a chrooted environment if it runs as root!
Believe me that the way I did it in cdrecord and rscsi is the safest way.
Just do what Open Source is for and read the source and the comments inside.
J�rg
EMail:[EMAIL PROTECTED] (home) J�rg Schilling D-13353 Berlin
[EMAIL PROTECTED] (uni) If you don't have iso-8859-1
[EMAIL PROTECTED] (work) chars I am J"org Schilling
URL: http://www.fokus.gmd.de/usr/schilling ftp://ftp.fokus.gmd.de/pub/unix
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
