> Oops, sent only to Crispin. Sorry about that. > > On Fri, 13 Jul 2001, Crispin Cowan spewed into the ether: > > As I understand Shane's original request, it is to get away from the > > UNIX all-or-nothing "root" security model, without totally throwing away > > UNIX. Seth is correct that pure capability-based OS's like KeyOS and > > EROS don't have this problem, but that is not the only way to solve this > > problem. > Ok. How about starting simplifying life first? > Other than history, is there *any* reason to allow the first 1024 ports > bindable only by root? Since malicious users can now have root access > to their own systems, the rationale for restricting the lower ports to > be accessible only to root is no longer valid. Remove that restriction > and a whole lot of things become simpler. > In this case, each program has its own space, its own user and its own > privileges. Yes: only known services should be there - starting a service at boot time is only part of it, when a service gets restarted is also problem. If a port is generally available to users, then the port may be taken by a random user for other purposes. Then the known service is unavailable. This was solved for RPC by having a daemon perform mapping services to inform remote hosts where the actual service was. Of course THAT service has to have a reserved port... Now - if the user id is included with the connection request, then it COULD be routed to the proper user/port. Otherwise you just loose all external communication. This assumes that a duplication of port numbers are allowed to each user (unique by UID). That might work internally, but doesn't work for host-host communication (yet). It also simplifies firewall filters. If each host had services on random ports (and not reserved ones) then EACH hosts services would have to be published to each firewall, making MANY rules for each host, rather than one set of rules to be applied to all authorized hosts. And nothing to advertise it to the rest of the world. Just because a rogue host exists is no reason to prevent ligitimate hosts from being able to use the ports in a well known manner. > Instead of trying to lock something down and dropping privileges, the > whole mess is removed at one stroke. different problem, solved in a different manner. ------------------------------------------------------------------------- Jesse I Pollard, II Email: pollardat_private Any opinions expressed are solely my own. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 07:29:33 PDT