| |||||||||||||
LCE: The failure of operating systems and how we can fix itLCE: The failure of operating systems and how we can fix itPosted Nov 24, 2012 19:13 UTC (Sat) by dlang (✭ supporter ✭, #313)In reply to: LCE: The failure of operating systems and how we can fix it by Cyberax Parent article: LCE: The failure of operating systems and how we can fix it
I don't have the time to look it up right now, but I remember seeing a /proc entry that removed the <1024 limit.
I agree that in the modern Internet, that really doesn't make sense, but going back, you had trusted admins (not just of your local box, but of the other boxes you were talking to), and in that environment it worked.
so think naive not moronic
remember, these are the same people who think that firewalls are evil because they break the unlimited end-to-end connectivity of the Internet. :-)
(Log in to post comments)
LCE: The failure of operating systems and how we can fix it Posted Nov 24, 2012 19:21 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]
>I don't have the time to look it up right now, but I remember seeing a /proc entry that removed the <1024 limit.
There is no such record (I naively thought so too). You can check the Linux source.
>I agree that in the modern Internet, that really doesn't make sense, but going back, you had trusted admins (not just of your local box, but of the other boxes you were talking to), and in that environment it worked.
>remember, these are the same people who think that firewalls are evil because they break the unlimited end-to-end connectivity of the Internet. :-)
LCE: The failure of operating systems and how we can fix it Posted Nov 24, 2012 19:26 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]
>> I don't have the time to look it up right now, but I remember seeing a /proc entry that removed the <1024 limit.
> There is no such record (I naively thought so too). You can check the Linux source.
Ok, I thought I remembered seeing it at some point in the past, I may have mixed it up with the ability to bind to IP addresses that aren't on the box <shrug>
I wonder how quickly someone could whip up a patch to add this ;-)
seriously, has this been discussed and rejected, or has nobody bothered to try and submit something like this?
LCE: The failure of operating systems and how we can fix it Posted Nov 24, 2012 19:58 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]
Yes, I remember that such patch was proposed way back then and rejected. And now it will be further complicated by cgroups/namespaces/whatever.
LCE: The failure of operating systems and how we can fix it Posted Jan 10, 2013 12:03 UTC (Thu) by dps (subscriber, #5725) [Link]
Putting my system admin hat on I want both border *and* host security. There is a lot that makes sense to block at borders because outsiders have no business using them. Servers on the safe side of firewalls often have to have more services configured and are therefore less secure.
If both a border firewall blocks some attack traffic then a security bug on an internal system is not immediately fatal and there is time to fix it before the border firewall's security is breached. If that has not happened that implies nobody worthwhile has tried or you can't detect security breaches.
In an ideal world there would be no need for security because nobody would even think of doing a bad dead. The world has never been that way.
|
|||||||||||||