Groups | Search | Server Info | Login | Register

Groups > comp.unix.programmer > #17077

Re: MacOS TCP port permissions

From cross@spitfire.i.gajendra.net (Dan Cross)
Newsgroups comp.unix.programmer
Subject Re: MacOS TCP port permissions
Date 2026-04-17 14:04 +0000
Organization PANIX Public Access Internet and UNIX, NYC
Message-ID <10rtel4$jrs$1@reader1.panix.com> (permalink)
References <10rq7hc$1b1bt$1@dont-email.me> <10rqsr8$1bra1$1@dont-email.me> <wwv1pgevh3y.fsf@LkoBDZeT.terraraq.uk> <10rt267$1eh57$1@dont-email.me>

Show all headers | View raw

In article <10rt267$1eh57$1@dont-email.me>,  <boltar@caprica.universe> wrote:
>On Thu, 16 Apr 2026 20:29:37 +0100
>Richard Kettlewell <invalid@invalid.invalid> gabbled:
>>boltar@caprica.universe writes:
>>> Geoff Clare <geoff@clare.See-My-Signature.invalid> gabbled:
>>>>boltar wrote:
>>>>
>>>>> I've just discovered that the current version of MacOS I'm running
>>>>> (15.7.5) doesn't seem to enforce restricted TCP ports below 1024 and
>>>>> a process without root permission seems to be able to open a
>>>>> listening socket on any port it pleases. I'm using a standard user
>>>>> account without AFAIK any special priviledges given to it.
>>>>> 
>>>>> Perhaps MacOS never enforced this, anyone know?
>>>>
>>>> Apparently it changed in MacOS Mojave to match how iOS behaves.
>>>>
>>>> See https://developer.apple.com/forums/thread/674179
>>>
>>> Cheers for that. Whoever "DTS Engineer" is he clearly doesn't
>>> understand the reasons the restriction was put in in the first place -
>>> ie that the services on low ports are the real deal and not maybe some
>>> credential snatcher spun up by a user. eg, running a hacked version of
>>> sshd on port 22.
>>
>>Aside from loopback, you never had that assurance anyway.
>>
>>In the case of SSH, the defence is host key verification, not which port
>>it runs on.
>
>A hacked version of ssh could save or forward everything it receives.

Not if it can't read the host key because it doesn't have
permissions to open the file the key is stored in, and so it
cannot prove to clients that it is the real SSH server (and
users wisely refrain from further interactions with it when
their SSH client spits out an error telling them this).

>Crypto is only useful outside of the process, inside its irrelevant.

"Crypto" in this case is about authentication, not just privacy.
Part of the SSH protocol is mutually authenticating both the
client _and_ the server using a cryptographically secured key
exchange.

There is an argument that this is irrelevant for a user who has
never connected to that host before, and hence does not know
what the host key _should_ be.  That's a valid point, but this
is not new: it has been known since SSH first arrived on the
scene decades ago.  The solution has generally been to publish
the host public key widely.

But running the server as "root" doesn't solve that problem, if
"root" on the destination machine has been compromised.

	- Dan C.

Back to comp.unix.programmer | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

MacOS TCP port permissions boltar@caprica.universe - 2026-04-16 08:44 +0000
  Re: MacOS TCP port permissions Geoff Clare <geoff@clare.See-My-Signature.invalid> - 2026-04-16 13:23 +0100
    Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-16 14:48 +0000
      Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-16 20:29 +0100
        Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-17 10:31 +0000
          Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 14:04 +0000
            Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-17 14:41 +0000
              Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 15:20 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-17 15:50 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 16:09 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 10:28 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:06 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:26 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:48 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:52 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:56 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:59 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 16:12 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-19 09:02 +0000
                Re: MacOS TCP port permissions scott@slp53.sl.home (Scott Lurndal) - 2026-04-18 15:56 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:58 +0000
                Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-19 00:05 +0100
                Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-19 00:01 +0100
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 23:50 +0000
                Re: MacOS TCP port permissions scott@slp53.sl.home (Scott Lurndal) - 2026-04-17 19:56 +0000
                Re: MacOS TCP port permissions Keith Thompson <Keith.S.Thompson+u@gmail.com> - 2026-04-17 13:34 -0700
                Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-17 22:53 +0100
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 22:56 +0000
                Re: MacOS TCP port permissions Keith Thompson <Keith.S.Thompson+u@gmail.com> - 2026-04-17 16:48 -0700
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 01:56 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 10:39 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:08 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:28 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:48 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:55 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 15:57 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-19 09:00 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-19 13:20 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-20 09:34 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-20 12:42 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-20 14:14 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-20 17:04 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 10:36 +0000
                Re: MacOS TCP port permissions Keith Thompson <Keith.S.Thompson+u@gmail.com> - 2026-04-18 17:54 -0700
                Re: MacOS TCP port permissions baltar@caprica.prime - 2026-04-19 09:08 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-19 13:29 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-20 09:35 +0000
                Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-19 10:45 +0100
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-20 09:32 +0000
                Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-20 23:52 +0100
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-21 08:27 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 10:30 +0000
              Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-17 20:09 +0100
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 10:32 +0000
                Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-18 13:02 +0100
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 14:40 +0000
                Re: MacOS TCP port permissions kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-18 15:14 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:29 +0000
                Re: MacOS TCP port permissions kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-18 15:52 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-18 15:57 +0000
                Re: MacOS TCP port permissions kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-18 15:59 +0000
                Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-19 00:24 +0100
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 23:53 +0000
                Running sshd on another port does have merit - even if in theory it does not (Was: MacOS TCP port permissions) gazelle@shell.xmission.com (Kenny McCormack) - 2026-04-19 16:01 +0000
                Re: Running sshd on another port does have merit - even if in theory it does not kalevi@kolttonen.fi (Kalevi Kolttonen) - 2026-04-19 16:28 +0000
                Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-19 09:03 +0000
                Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-19 10:26 +0100
                Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-18 17:07 +0100
                Re: MacOS TCP port permissions Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-04-18 22:36 +0000
      Re: MacOS TCP port permissions Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-04-16 23:23 +0000
        Re: MacOS TCP port permissions Keith Thompson <Keith.S.Thompson+u@gmail.com> - 2026-04-16 16:34 -0700
        Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-17 01:00 +0100
        Re: MacOS TCP port permissions Nicolas George <nicolas$george@salle-s.org> - 2026-04-17 07:12 +0000
          Re: MacOS TCP port permissions Richard Kettlewell <invalid@invalid.invalid> - 2026-04-17 08:54 +0100
            Re: MacOS TCP port permissions Nicolas George <nicolas$george@salle-s.org> - 2026-04-17 13:49 +0000
              Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 14:50 +0000
              Re: MacOS TCP port permissions Nuno Silva <nunojsilva@invalid.invalid> - 2026-04-18 09:22 +0100
                Re: MacOS TCP port permissions scott@slp53.sl.home (Scott Lurndal) - 2026-04-18 15:55 +0000
                Re: MacOS TCP port permissions cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-18 16:09 +0000
        Re: MacOS TCP port permissions boltar@caprica.universe - 2026-04-17 10:31 +0000
          Re: MacOS TCP port permissions Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-04-17 22:53 +0000
      Goodbye, Privileged Ports! [was Re: MacOS TCP port permissions] cross@spitfire.i.gajendra.net (Dan Cross) - 2026-04-17 14:58 +0000

csiph-web