Re: Ports 0-1023?

From: Bruno Morisson (morissonat_private)
Date: Thu Jul 04 2002 - 17:55:20 PDT

Next message: Ron DuFresne: "Reminder Announcement - CSICON.NET (fwd)"

Previous message: hicks: "Re: Ports 0-1023?"
In reply to: gminick: "Re: Ports 0-1023?"
Next in thread: gminick: "Re: Ports 0-1023?"
Next in thread: Michal Zalewski: "Re: Ports 0-1023?"
Reply: gminick: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 04 July 2002 20:31, gminick wrote:
> On Thu, Jul 04, 2002 at 06:54:05PM +0100, Bruno Morisson wrote:
>> Example, uid 80 can bind to tcp port 80.
> It leads us to build more static and more complicated systems.
> We're just trying to provide new situations where bugs can exist
> and what we're trying to achieve isn't worthy...

Why do you say it would be more static ? I believe it would be much more 
flexible. As to new situations... It'd be really not a new situation. In that 
example uid 80 would be just like root... but unable to do all the other 
things root can :-) Don't think of it as giving privileges, but as taking 
them. 

> > You start the httpd as that
> > user, and drop privileges by setting your uid to nobody (or apache, or
> > whatever). If the user exploits the daemon, it will be uid nobody (or
> > whatever), and in the worst case scenario, he will have uid 80, and
> > never uid 0.
>
> Are you sure? I think that our new user changes nothing and there's
> still a possibility of priviledges expansion from user nobody to
> a root (if you've exploited apache with a remote exploit, and you
> have a shell as user nobody you're able to try to exploit something
> locally and get UID==0). Am I right ?

Yes, it helps nothing on that case.
The difference between starting a process (apache for example) as root 
then dropping privileges, from starting as a user who can only bind to port 
80 (it has no other privileges) and then dropping that privilege is the 
question "do you trust the daemon *really* dropped privileges?", and using a 
principle of "least privilege". If a process doesn't need certain privileges, 
_don't_ give them to it. Either you audit every daemon you run (if you have 
the source), or trust who wrote it (if you are unable to audit for lack of 
skills/time/source), or don't let it run *ever* as root just because it needs 
to bind to a "privileged" port, and minimize the risk.
I just don't see any need to run so many things as "root" just because they 
need to bind to privileged ports.

regards,
Bruno Morisson <morissonat_private>

Next message: Ron DuFresne: "Reminder Announcement - CSICON.NET (fwd)"
Previous message: hicks: "Re: Ports 0-1023?"
In reply to: gminick: "Re: Ports 0-1023?"
Next in thread: gminick: "Re: Ports 0-1023?"
Next in thread: Michal Zalewski: "Re: Ports 0-1023?"
Reply: gminick: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 18:34:36 PDT