--TYjWXklH5JTzT8n9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Nov 08, 2004 at 05:31:14PM -0800, Jason Thorpe wrote:
  | Am I the only one who thinks that the privileged port requirement (that=
=20
  | can be disabled on a per-export basis with -noresvport) is just a=20
  | little silly in this day and age?
  |=20
  | I would really like to make -noresvport the default, and maybe add a=20
  | -resvport option for people who are under the false impression that the=
=20
  | privileged port requirement actually buys them extra security.
  |=20
  | Thoughts?

This would introduce a security regression for existing configurations;
you're proposing to reduce the default security level and require
that people rewrite their configuration to regain the security
environment they currently have on.  Even with tools like
etc/postinstall this migration is fragile and prone to failure.

What I would instead suggest is to leave the default _as is_,
and instead providing command-line options that allow you to
set -noresvport and -noresvmnt on a global basis.

Cheers,
Luke.

--TYjWXklH5JTzT8n9
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iD8DBQFBkLQnpBhtmn8zJHIRAgidAJ4u+ejGa8KZlMgRctWAN+uwcjk+yACgjq+c
7HEdciMROWmGZ/gAWgsMNvc=
=qA0l
-----END PGP SIGNATURE-----

--TYjWXklH5JTzT8n9--