> Is there any point in needing to be root in order to allocate the low ports > on unix-like systems, anymore? Could we get away from having to have some > daemons even have a root stub in order to listen on a low port? What would > break, and what new holes would be created? Could some sort of port ACL > simply be used that says a particular UID can allocate a particular range > of ports? Root-only low numbered ports offers me the following assurances: * when I connect with ssh/telnet/ftp/pop/imap/anything that requires authentication, I know that I am talking to a process that was started by root. I should feel comfortable giving my password because I know it wasn't a user process that's listening. Imagine if there were a bug to crash an ssh server, and a local user killed it off and then started his own ssh service to snag passwords, and complaining with an error to the client. After a while there are a few passords stolen, the user stops the password snagger, and root starts up sshd again. No one's the wiser. These process require root privs at some point anyway, however, or at least CAP_SYS_CHROOT to be able to change the UID to the target user, so this may not be an issue. * connections coming from <1024 are assumed to be from the root on the client. This allows such nicities as host-based authentication for the r-services, poorly configured SSH servers, etc. Is there anything that actually uses this any more? rsh/rlogin/etc are dead, SSH allows host-based authentication using strong crypto with host keys, so the port it's coming could be irrelevant. Those are the only two things that root-only low-bound ports grant us, security wise, and the second is of almost irrelevant if not negative value. So would it be good to have host-specific configuration that allowed only specific users or programs the ability to bind a low port? That wouldn't be bad. You can already do this with LIDS (grant a specific program [based on device/inode]) the Linux capability to bind only a specific port or ports below 1024, letting you have much more fine-grained local restrictions. So if you implement something like this, the burden is on the system administrator to create the correct policy of port/user/program for it to be secure. Having the default be a free-for-all would probably not be good lest users run their own password grabbers. A local mistake in that policy means you leave users who connect to your machine at risk. But an administrator that does this is likely to be running an old vulnerable version of the software as well anyway. Short answer: root-only ports not really needed any more. -- Brian Hatch "Is there a Lawyer Systems and in the House?" Security Engineer **BLAM!** http://www.ifokr.org/bri/ "Any more?" Every message PGP signed
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 10:45:16 PDT