[5042] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (David W. Morris)
Sat Apr 12 19:12:09 1997
Date: Sat, 12 Apr 1997 10:40:04 -0700 (PDT)
From: "David W. Morris" <dwm@xpasc.com>
To: Steve Phelps <steve@epic.co.uk>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <2.2.32.19970410134515.00bf16e4@post.epic.co.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 10 Apr 1997, Steve Phelps wrote:
> source port in TCP/IP packet because it is so easy to forge anyway, but I'd
> still feel a bit uncomfortable allowing non-privelaged processes to connect
> below 1024.
You miss the point ... to use the INET group one must be privileged as one
must be a member of the INET group, yet one does not need ROOT level
privileges on the system so the system is less exposed to ill behaviors in
your software.
The only advantage to port restrictions for filter rule purposes is that
the person performing the filtering might be expected to know the
characteristics of the systems they are protecting and willing to allow
inbound connections to privileged access ports but not arbitrary ports
which might represent an X-server or other known unsafe program. There is
no security value in applying filtering to the remote port address.
Dave Morris
