OK, to summarize the responses: -Some portion of the daemons presently need root solely so they can get a low port, and that could be changed if the mechanism to get a low port didn't require root. -Some daemons still need root regardless of the port number, because of a need to change privs/uid. -Allowing arbitrary uids to start processes on arbitrary ports could be bad because nonpriv uids might be able to crash the service, and take over the port, and the service may be one that users authenticate to. -Some of this functionality could be simulated via port redirection, and running the real service on a high port. (Which would suffer from the port hijacking problem.) -ACLs could be used to limit which uids can bind which ports. -R services might break, which could be a bonus. Which all pretty much confirms my assumptions, thank you. So, what I had in mind was something to this effect: File /etc/ports contans: root:* telnetd:23 ftpd:20,21,1024-65535 ... *:1024-65535 In this file, telnetd is a uid NOT a process name. The file is simply a list of what uids can bind to what ports. We would have to make it so that the list is static in memory, so that the kernel doesn't have to consult a file every time it binds a port, but updatable at will by root or similar administrative account. The telnetd program would run as uid telnetd. Some unix systems have this capability already from what I understand... I'd be interested in having people mail me privately which ones do, and how close they are to this scheme, and I'll summarize for the list. I have one more specific question regarding daemons that take authentication, and switch to another uid. For something like a telnetd, or sshd that uses PAM.... in order to drop to a shell as the uid of the authenticated user, do they really need root? If you have the authentication information for the user, then you could call the system call equivalent of su, right? So the daemon is actually going after a privilege gain rather than a drop, because it starts as some account that can really only bind a special port. I understand that there would still be some cases, such as a MTA, that want to be another uid, but never get the authentication information, so they would likely need to retain root. What would be wrong with doing things this way (other than having to code it)? BB
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 14:15:08 PDT