RE: Security through Permissiveness: A Zen Riddle?

From: Jesse Pollard (pollardat_private)
Date: Wed Jul 18 2001 - 07:56:49 PDT

  • Next message: Crispin Cowan: "Re: Security through Permissiveness: A Zen Riddle?"

    > > 80 is the convention for http, 443 for https (http over SSL/TLS).
    > > 
    > > But your argument stands, neither service requires system 
    > > privileges to run
    > > (apart from opening that initial port).
    > 
    > It should be noted that part of this distinction is historic ... back when
    > few people had machines, but many many people had accounts, there was in
    > fact a tangible difference in trust between "a machine I don't know" and
    > "a random user on a machine I don't know".
    > 
    > Services like identd, which are now more or less useless, are based on this
    > distinction: a certain amount of trust for the average sysadmin, and less
    > trust of the average user.
    
    A site web server fits this exactly, the site authorizes the web server, and
    advertises it via a well known port (80). The same distinction applies to
    port 443 (https). https on other ports are not well known or advertised,
    but that doesn't prevent them from being used.
    
    > 
    > Many things that don't need root privs run below 1024 for a similar reason:
    > they are considered to be "machine wide" services, administered by root
    > instead of just some user.
    > 
    > Now, if only TCP supported something like: "somemachine.com:tim@80" then
    > everyone could have their own web server ... :)
    
    TCP doesn't, but web servers do: "somemachine.com/tim" works just fine
    where the URL is forwarded to "anymachine.com:someport". Can work if
    "/tim" is a forwarding CGI that verifies that "tim" has a socket open...
    
    TCP can't do that. TCP/IP has no concept of "user". IPSec (the RFC - not
    the implementations) adds user information, but it is oriented to MAC support.
    
    -------------------------------------------------------------------------
    Jesse I Pollard, II
    Email: pollardat_private
    
    Any opinions expressed are solely my own.
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 07:57:24 PDT