clp@altos86.UUCP (Chuck L. Peterson) (05/24/89)
It seems to me that sendmail should disallow connections from ports which were not originated from priviledged ports using code similar to that in rlogind: if (fromp->sin_family != AF_INET || fromp->sin_port >= IPPORT_RESERVED) fatal(f, "Permission denied"); /usr/lib/sendmail should also be changed to obtain the "from" machine name using the internet number in sin_addr. Only Wizards should be asked for a machine name. If this has already been fixed; never mind (in gilda font). Chuck L. Peterson clp@altos.com
chris@mimsy.UUCP (Chris Torek) (05/24/89)
In article <1136@altos86.UUCP> clp@altos86.UUCP (Chuck L. Peterson) writes: >It seems to me that sendmail should disallow connections from ports >which were not originated from priviledged ports ... [like] rlogind: Privileged ports are a BSD-specific concept. Sendmail, unlike rlogin, uses a protocol that is not BSD-specific. -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@mimsy.umd.edu Path: uunet!mimsy!chris
bzs@bu-cs.BU.EDU (Barry Shein) (05/25/89)
>Privileged ports are a BSD-specific concept. Sendmail, unlike rlogin, >uses a protocol that is not BSD-specific. >-- >In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) That's not true, TOPS-20 certainly had priviliged ports before the BSD internet releases. One problem was that TOPS-20 considered ports below 512 priviliged while BSD upped that to 1024 which doesn't work very well as a unilateral change since non-priv'd users on TOPS-20 systems still had access to the ports 512..1023. At any rate it's all pretty much a red herring since anyone with root access on their workstation or a PC implementation can get to the low numbered and reserved ports. It's a relic of the days when computers meant big time-sharing systems with very limited access to priv'd accounts so priv'd ports gave some protection. Today anything that relies on no one on your net being able to get to root on their machine is doomed. I suppose it could be argued that in some specific environments this would afford some more protection (eg. student time-sharing systems with no workstations on the network, sigh.) -- -Barry Shein Software Tool & Die, Purveyors to the Trade 1330 Beacon Street, Brookline, MA 02146, (617) 739-0202