#2 Dynamically assign a reserved source port (512-1023)

[Peter McCormack]

I'm trying to duplicate the functionality of rsh, mount,
etc which restricts incoming requests to a server to the
reserved ports below 1024 which only root on the client
machine can allocate. Only root (netcat) on a client
machine will be able to allocate a reserved port.
sever gets remotehost and port name via getpeername.
If port number is not less than 1024 and from the
expected client request is rejected.
Yes I know this is not best security but it is sufficiient
for my purposes, given that other security mechanisms
such as encryption can still be compromised by root on
the client machine.
What would be useful would be a range of port numbers
specified on the port switch (e.g -p 1023-512 look from
1024 downwards for a reserved port or -p 512-1023 ).

[Giovanni Giacobbi]

Logged In: YES
user_id=361125

Hi Peter.

I like your proposal, and I'll scheduled it for the next
major version of Netcat. I branched my project in version
0.7.x, and unfortunately your proposal requires massive code
change and must go in the development branch.

As a workaround, you may try all available ports until you
find one working:
$ for ii in `seq 1022 1024`; do echo port $ii; if netcat
-vp $ii somewhere 80; then break; fi; done
port 1022
Error: Couldn't create connection (err=-3): Permission denied
port 1023
Error: Couldn't create connection (err=-3): Permission denied
port 1024
somewhere [1.2.3.4] 80 (http) open
^C

[Peter McCormack]

Logged In: YES
user_id=137129

Thanks. Looping through the reserved ports in a script gets
a llittle inelegant. The return code is always 1 and stderr
needs to be grepped for "address already in use". So this
wheel is best invented within netcat itself.
You might also consider the other side of privileged port
handling - restrict incoming connections to the privileged
range. This could be done by command line switches or by
making hostname and port number somehow available to
downstream scripts. The latter mechanism would allow host
based authentication to be implemented within the
downstream scripts.

[Giovanni Giacobbi]

Logged In: YES
user_id=361125

Can you better explain why netcat is always returning 1? If
it can successfully listen, and the connection is
successfull, it returns 0.

The only situation I can think of is when it successfully
binds socket but later there is an error in the tcp
connection. Maybe this behaviour should change because it's
not a failure in its main activity (listening).

[Peter McCormack]

Logged In: YES
user_id=137129

Sorry. I didn't explain that well. I meant that when looping
through the reserved ports in the shell you can't distinguish
an error such as "permission denied (cant bind to reserved
port)" in which you continue looping from any other
terminating error (e.g connection refused") because the
return code for both errors is 1.
So you have to resort to grepping for the error message in
stderr. All fairly simple scripting but ugly.

[Giovanni Giacobbi]

Logged In: YES
user_id=361125

Ok, you are right. I'll schedule this feature for the
upcoming development version. Expect it in a month or so.

If you have further comments about this let me know here.

Regards