Re: Ports 0-1023?

From: Charles 'core' Stevenson (coreat_private)
Date: Thu Jul 04 2002 - 13:56:28 PDT

Next message: hicks: "Re: Ports 0-1023?"

Previous message: gminick: "Re: Ports 0-1023?"
In reply to: Kurt Seifried: "Re: Ports 0-1023?"
Next in thread: Thomas Cannon: "Re: Ports 0-1023?"
Next in thread: Martin Mačok: "Re: Ports 0-1023?"
Reply: Thomas Cannon: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Why doesn't someone implement an init that intelligently handles the 
privilege seperation using the Linux capabilities. And why not hack 
something up so we can give an attribute to a suid that allows it to 
just change the system time or this sort of thing. I think it would be 
great to chmod +n /bin/ping.

Just a thought :)

peace,
core

Kurt Seifried wrote:
>>Is there any point in needing to be root in order to allocate the low
> 
> ports
> 
>>on unix-like systems, anymore?  Could we get away from having to have some
>>daemons even have a root stub in order to listen on a low port?  What
> 
> would
> 
>>break, and what new holes would be created?  Could some sort of port ACL
>>simply be used that says a particular UID can allocate a particular range
>>of ports?
> 
> 
> Well. Let's say you don't need to be root anymore.
> 
> Hey look at me, I'm the webserver! Or the email server, or the ftp server.
> or the NFS server.......
> 
> If I can down a service (remote/local DoS), or wait for it to be restarted
> (like to reload configuration or some other automated interuption) I can be
> that service. Kind of scary IMHO.
> 
> Now if you're talking about assigning a UID or GID to "own" the port that's
> a different story, however I fear people doing well intentioned, but stupid
> things like assigning it to "nobody". This capability already exists in many
> systems, Argus Pitbull (for Solaris) and Pitbull LX (for Linux), NSA
> SELinux, and so on.
> 
> Personally I like Solaris' ability to assign high ports to require root,
> this is nice for NFS (2049) and other related systems (has to run as root
> anyways, well unless you got some really crazy user-daemon nfs =).
> 
> Plus with privilege seperation (OpenSSH, Postfix, Apache, etc.) there is
> very little to worry about in most cases, done properly these things are not
> terribly dangerous (ok, ignoring last week ....=).
> 
> I wrote an article about this ages ago, but cannot find it, and of course
> securityportal.com is no more, ohwell.
> 
> 
>>Discuss.
>>
>>BB
> 
> 
> Kurt Seifried, kurtat_private
> A15B BEE5 B391 B9AD B0EF
> AEB0 AD63 0B4E AD56 E574
> http://seifried.org/security/
> http://www.iDefense.com/
> 
> 
> 
>

Next message: hicks: "Re: Ports 0-1023?"
Previous message: gminick: "Re: Ports 0-1023?"
In reply to: Kurt Seifried: "Re: Ports 0-1023?"
Next in thread: Thomas Cannon: "Re: Ports 0-1023?"
Next in thread: Martin Mačok: "Re: Ports 0-1023?"
Reply: Thomas Cannon: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 16:10:30 PDT