On Thu, 4 Jul 2002, [iso-8859-1] alex wrote: > The assumption was that if the system administrator ran it, then it must > be trustworthy). This thinking harks back to an era when SysAdmins were > a select breed, not just any punk with a linux box. Nowaydays it has > been realised that trusting any other machine, even on your home > network, is naive (because it could have been subverted). No, that's not really like that. If you have a server, you expect that whatever is served on low ports (such as 80), is put there by the administrator / the owner of this machine, and not by any of 1000 other users that, say, pay them for mail accounts. Simple as that. Of course, whole privilege system on a generic Unix is badly outdated and insufficient, but for as long as you have to live with it, this is the best you can get. > So the extra risk run giving these daemons extra privilege is wasted, I > think. Many daemons would still have to keep root privileges. SSH, telnet, ftp, pop3, Sendmail and many more would most likely require root at some point. With many services, you could possibly force them to start with non-root privileges, but I bet you would most likely break some stuff and open new security problems (remember the Sendmail issue with setuid() failing on Linux with broken capabilities?). Many services just assume they succeeded with some things, since they should be running as root at this point. For some system calls, semantics is different depending on uid, this may be dangerous too. I think it is easier to check whether given service actually successfully dropped the privileges on your system. -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 11:27:55 PDT