On Wednesday 07 August 2002 12:51, David Laight wrote:
> > since the change only affects the bind(2) operation, i don't believe this
> > will adversely affect the performance of the network operations.
>
> Remember that it is valid to call bind() before calling connect().
> You probably don't want to allow unprivileged users to obtain
> ports <1024 that way.

i'm not sure i quite understand what you mean.

do you mean that on a system compiled without NOPRIVPORTS (or with my proposed 
sysctls set to 1), an unprivilaged user may bind to a high-number port, then 
modify the sockaddr struct such that when they call listen(2) they open up a 
privilaged port?  if so, then this is a flaw outside the scope of my change.

currently, a kernel compiled with NOPRIVPORTS allows any user to bind to any 
port.  a kernel compiled without NOPRIVPORTS allows only a user with 
superuser privilages to bind to ports < 1024.  

the point of my change is to replace that kernel option (NOPRIVPORTS) with a 
runtime sysctl.  i found no code, other than bind(2) that checks for the 
NOPRIVPORTS option.  since my change simply makes this a runtime configured 
option i only changed the implementation of the current scheme.

--joe