On Thursday 04 July 2002 20:31, gminick wrote: > On Thu, Jul 04, 2002 at 06:54:05PM +0100, Bruno Morisson wrote: >> Example, uid 80 can bind to tcp port 80. > It leads us to build more static and more complicated systems. > We're just trying to provide new situations where bugs can exist > and what we're trying to achieve isn't worthy... Why do you say it would be more static ? I believe it would be much more flexible. As to new situations... It'd be really not a new situation. In that example uid 80 would be just like root... but unable to do all the other things root can :-) Don't think of it as giving privileges, but as taking them. > > You start the httpd as that > > user, and drop privileges by setting your uid to nobody (or apache, or > > whatever). If the user exploits the daemon, it will be uid nobody (or > > whatever), and in the worst case scenario, he will have uid 80, and > > never uid 0. > > Are you sure? I think that our new user changes nothing and there's > still a possibility of priviledges expansion from user nobody to > a root (if you've exploited apache with a remote exploit, and you > have a shell as user nobody you're able to try to exploit something > locally and get UID==0). Am I right ? Yes, it helps nothing on that case. The difference between starting a process (apache for example) as root then dropping privileges, from starting as a user who can only bind to port 80 (it has no other privileges) and then dropping that privilege is the question "do you trust the daemon *really* dropped privileges?", and using a principle of "least privilege". If a process doesn't need certain privileges, _don't_ give them to it. Either you audit every daemon you run (if you have the source), or trust who wrote it (if you are unable to audit for lack of skills/time/source), or don't let it run *ever* as root just because it needs to bind to a "privileged" port, and minimize the risk. I just don't see any need to run so many things as "root" just because they need to bind to privileged ports. regards, Bruno Morisson <morissonat_private>
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 18:34:36 PDT