Re: Ports 0-1023?

From: gminick (gminickat_private)
Date: Thu Jul 04 2002 - 23:25:03 PDT

Next message: Charles 'core' Stevenson: "Re: Ports 0-1023?"

Previous message: Sebastian Krahmer: "Re: Ports 0-1023?"
In reply to: Bruno Morisson: "Re: Ports 0-1023?"
Next in thread: George W. Capehart: "Re: Ports 0-1023?"
Next in thread: Michal Zalewski: "Re: Ports 0-1023?"
Reply: George W. Capehart: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jul 05, 2002 at 12:55:20AM +0000, Bruno Morisson wrote:
> >> Example, uid 80 can bind to tcp port 80.
> > It leads us to build more static and more complicated systems.
> > We're just trying to provide new situations where bugs can exist
> > and what we're trying to achieve isn't worthy...
> Why do you say it would be more static ?
Because you need to add dozens of users (httpd, telnetd) to your 
passwd file if you want to build a system where separated users
are running processes and if you want that: "Example, uid 80 can bind to 
tcp port 80" to work you need to add some strage directives to your
kernel. 

> example uid 80 would be just like root... but unable to do all the other 
> things root can :-) Don't think of it as giving privileges, but as taking 
> them. 
Ok, I understand that, but I can't find out what's wrong with running
(for example) apache from root (it's usually done by /etc/rc.d/ scripts)
and dropping priviledges right after bind()ing.

> > Are you sure? I think that our new user changes nothing and there's
> > still a possibility of priviledges expansion from user nobody to
> > a root (if you've exploited apache with a remote exploit, and you
> Yes, it helps nothing on that case.
> The difference between starting a process (apache for example) as root 
> then dropping privileges, from starting as a user who can only bind to port 
> 80 (it has no other privileges) and then dropping that privilege is the 
> question "do you trust the daemon *really* dropped privileges?",
I have to. When I don't believe in it I'm always able to check it.
We still need to remember that there's a lot of daemons working as
root as long as they're running. When my daemon is dropping priviledges
I'm just more sure about my host's security. If we're providing
"uid 80 can bind to tcp port 80" we need to remember, that there's
not only Apache in the wild and some servers could need a root all the time.

> I just don't see any need to run so many things as "root" just because they 
> need to bind to privileged ports.
Well, if somebody really need this let's build it as a module or a
kernel patch ;)

-- 
[ Wojtek gminick Walczak ][ http://hacker.pl/gminick/ ]
[ gminick (at) hacker.pl ][ gminick (at) klub.chip.pl ]

Next message: Charles 'core' Stevenson: "Re: Ports 0-1023?"
Previous message: Sebastian Krahmer: "Re: Ports 0-1023?"
In reply to: Bruno Morisson: "Re: Ports 0-1023?"
Next in thread: George W. Capehart: "Re: Ports 0-1023?"
Next in thread: Michal Zalewski: "Re: Ports 0-1023?"
Reply: George W. Capehart: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 05 2002 - 11:11:46 PDT