Re: Ports 0-1023?

From: Blue Boar (BlueBoarat_private)
Date: Thu Jul 04 2002 - 21:06:44 PDT

Next message: Kent Crispin: "Re: Ports 0-1023?"

Previous message: Brian Hatch: "Re: Ports 0-1023?"
In reply to: Brian Hatch: "Re: Ports 0-1023?"
Next in thread: Brian Hatch: "Re: Ports 0-1023?"
Next in thread: gminick: "Re: Ports 0-1023?"
Reply: Brian Hatch: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Brian Hatch wrote:
>>For something like a telnetd,
>>or sshd that uses PAM.... in order to drop to a shell as the uid of the
>>authenticated user, do they really need root?
> 
> You need *something* that's running as root.  It may not be the process
> itself, but there must be something that can hand off a new UID.  Take
> suexec, part of Apache.  It's a suid executable that has a quite rigid
> set of conditions that must be correct for it to run a CGI as a
> different user.  The most important rule being that the suexec program
> is only called from the webserver user, which is specified at suexec
> compile time.
> 
> Something like this would be needed for user 'telnetd' to let you
> log in as you, instead of it.

I've never looked at the su source, but that's pretty much exactly what I 
had in mind.

>>If you have the
>>authentication information for the user, then you could call the system
>>call equivalent of su, right?
> 
> 
> If you have the password, sure, you could do something like that.  But
> many authentication schemes (ssh identities, challenge/response, etc)
> do not offer you the actual password, so you're stuck getting a
> different UID by some setuid() call.

Which is why I specifically mention PAM.  I realize that not every single 
authentication scheme will have a system-wide equivalent.  Notably, the key 
form of SSH authentication, which I forgot to mention before, and which one 
subscriber reminded me about off-list.

It seems like a good idea to me to keep as much of the authentication code 
in one place as possible, and let programs call that.  At present, that 
seems to be PAM.  Just seems a better idea than letting each program 
reimplement the same thing, and having that many more opportunities to get 
it wrong.

>>What would be wrong with doing things this way (other than having to code 
>>it)?
> You're traiding UID root for suid root helper programs.  Now whether
> this is 'wrong' or not depends on your thinking.

I'm also trying to enable daemons that don't really need to be root at all, 
the ones that only wanted root in order to bind to a low port (save of 
course that at present the DO have to be root at least part of the time to 
ge the low port).  Add to that some daemons that also needed root to 
authenticate people.. and could just do so through PAM, and you might make 
a dent in reducing the amount of code run as root.

Thanks for the comments.

							BB

Next message: Kent Crispin: "Re: Ports 0-1023?"
Previous message: Brian Hatch: "Re: Ports 0-1023?"
In reply to: Brian Hatch: "Re: Ports 0-1023?"
Next in thread: Brian Hatch: "Re: Ports 0-1023?"
Next in thread: gminick: "Re: Ports 0-1023?"
Reply: Brian Hatch: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 21:08:04 PDT