#2 Dynamically assign a reserved source port (512-1023)

Development branch
open
None
5
2004-02-29
2004-02-17
No

I'm trying to duplicate the functionality of rsh, mount,
etc which restricts incoming requests to a server to the
reserved ports below 1024 which only root on the client
machine can allocate. Only root (netcat) on a client
machine will be able to allocate a reserved port.
sever gets remotehost and port name via getpeername.
If port number is not less than 1024 and from the
expected client request is rejected.
Yes I know this is not best security but it is sufficiient
for my purposes, given that other security mechanisms
such as encryption can still be compromised by root on
the client machine.
What would be useful would be a range of port numbers
specified on the port switch (e.g -p 1023-512 look from
1024 downwards for a reserved port or -p 512-1023 ).

Discussion

  • Giovanni Giacobbi

    Logged In: YES
    user_id=361125

    Hi Peter.

    I like your proposal, and I'll scheduled it for the next
    major version of Netcat. I branched my project in version
    0.7.x, and unfortunately your proposal requires massive code
    change and must go in the development branch.

    As a workaround, you may try all available ports until you
    find one working:
    $ for ii in `seq 1022 1024`; do echo port $ii; if netcat
    -vp $ii somewhere 80; then break; fi; done
    port 1022
    Error: Couldn't create connection (err=-3): Permission denied
    port 1023
    Error: Couldn't create connection (err=-3): Permission denied
    port 1024
    somewhere [1.2.3.4] 80 (http) open
    ^C

     
  • Giovanni Giacobbi

    • assigned_to: nobody --> themnemonic
     
  • Peter McCormack

    Peter McCormack - 2004-02-19

    Logged In: YES
    user_id=137129

    Thanks. Looping through the reserved ports in a script gets
    a llittle inelegant. The return code is always 1 and stderr
    needs to be grepped for "address already in use". So this
    wheel is best invented within netcat itself.
    You might also consider the other side of privileged port
    handling - restrict incoming connections to the privileged
    range. This could be done by command line switches or by
    making hostname and port number somehow available to
    downstream scripts. The latter mechanism would allow host
    based authentication to be implemented within the
    downstream scripts.

     
  • Giovanni Giacobbi

    Logged In: YES
    user_id=361125

    Can you better explain why netcat is always returning 1? If
    it can successfully listen, and the connection is
    successfull, it returns 0.

    The only situation I can think of is when it successfully
    binds socket but later there is an error in the tcp
    connection. Maybe this behaviour should change because it's
    not a failure in its main activity (listening).

     
  • Giovanni Giacobbi

    • status: open --> pending
     
  • Peter McCormack

    Peter McCormack - 2004-02-29
    • status: pending --> open
     
  • Peter McCormack

    Peter McCormack - 2004-02-29

    Logged In: YES
    user_id=137129

    Sorry. I didn't explain that well. I meant that when looping
    through the reserved ports in the shell you can't distinguish
    an error such as "permission denied (cant bind to reserved
    port)" in which you continue looping from any other
    terminating error (e.g connection refused") because the
    return code for both errors is 1.
    So you have to resort to grepping for the error message in
    stderr. All fairly simple scripting but ugly.

     
  • Giovanni Giacobbi

    Logged In: YES
    user_id=361125

    Ok, you are right. I'll schedule this feature for the
    upcoming development version. Expect it in a month or so.

    If you have further comments about this let me know here.

    Regards

     
  • Giovanni Giacobbi

    • milestone: --> Development branch
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks