2008/12/3 Adrian Lienhard <[EMAIL PROTECTED]>: > On Dec 2, 2008, at 23:04 , Alexandre Bergel wrote: > >> Yes, I read that. But is there any conceptual implication to have the port >> 80 accessible only by root? >> This looks like to be very arbitrary no? > > I don't think so. The lower port numbers are used for common services like > http or mail for which always the same ports are used by convention. You > wouldn't want to allow potentially highjacked processes to be able to bind > to such a ports (e.g., pretending to be your mail server). >
what if your mail server bound to port 9999? :) i don't see how disallowing binding a non-root process to ports less than 1024 improves security much. As well, as i don't see why squeak vm should care about such details. > Adrian > >> >> >> Alexandre >> >> >> On 2 Dec 2008, at 18:59, Janko Mivšek wrote: >> >>> >>> >>> Alexandre Bergel wrote: >>>>> >>>>> Unix blocks port 1 - 1024 for non root users. Running a Smalltalk >>>>> image as root is obviously a very bad idea, especially when used for >>>>> web services. Smalltalk is full of security holes (for example Object >>>>> class>>#readFrom: uses the compiler) that would allow a smart person >>>>> to gain root rights. It is always good idea to run anything that is >>>>> publicly reachable in some sort of a sandbox, even if this is just by >>>>> using a non-privileged user. >>>> >>>> Hi Lukas, >>>> I read the thread you mentioned. Isn't it feasible to make the port 80 >>>> accessible for a non-root process? >>>> This is probably hardcoded in the kernel, but since this problem has >>>> been around for years in most communities, but not to fix this in the >>>> kernel? >>>> Just a very naive question :-) >>> >>> From recent thread on squeak-dev you can see that we actually came to the >>> solution of how to run on port 80 without being root. And solution is as >>> Apache is doing: starting with root then dropping the privilege level to the >>> normal user. >>> >>> [squeak-dev] smalltalk and Web stuff >>> >>> http://www.nabble.com/-squeak-dev--smalltalk-and-Web-stuff-td20643881.html >>> >>> Best regards >>> Janko >>> >>> >>> -- >>> Janko Mivšek >>> AIDA/Web >>> Smalltalk Web Application Server >>> http://www.aidaweb.si >>> >>> _______________________________________________ >>> Pharo-project mailing list >>> [email protected] >>> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project >>> >> >> -- >> _,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;: >> Alexandre Bergel http://www.bergel.eu >> ^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;._,.;:~^~:;. >> >> >> >> >> >> >> _______________________________________________ >> Pharo-project mailing list >> [email protected] >> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project > > > _______________________________________________ > Pharo-project mailing list > [email protected] > http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project > -- Best regards, Igor Stasenko AKA sig.
_______________________________________________ Pharo-project mailing list [email protected] http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
