Re: Ports 0-1023?

From: George W. Capehart (gwcat_private)
Date: Fri Jul 05 2002 - 20:23:03 PDT

Next message: Charles 'core' Stevenson: "Re: Google lists vulnerable sites."

Previous message: Kurt Seifried: "Re: Google lists vulnerable sites."
In reply to: gminick: "Re: Ports 0-1023?"
Next in thread: Michal Zalewski: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

gminick wrote:
> 

<snip>

> Because you need to add dozens of users (httpd, telnetd) to your
> passwd file if you want to build a system where separated users
> are running processes and if you want that: "Example, uid 80 can bind to
> tcp port 80" to work you need to add some strage directives to your
> kernel.

NO!  This is the problem that role-based access control (RBAC) is
designed to deal with.  It is beyond the scope of this email to go into
detail about it, but there are OSs (Solaris, for example) and OS add-ins
like ACF/RACF, Tivoli, etc. that implement it.  It's not *that* hard to
implement policies that say what roles can open what ports.  Then, it's
administration to manage the database that maps users to roles . . .

> 
> > example uid 80 would be just like root... but unable to do all the other
> > things root can :-) Don't think of it as giving privileges, but as taking
> > them.
> Ok, I understand that, but I can't find out what's wrong with running
> (for example) apache from root (it's usually done by /etc/rc.d/ scripts)
> and dropping priviledges right after bind()ing.
> 
> > > Are you sure? I think that our new user changes nothing and there's
> > > still a possibility of priviledges expansion from user nobody to
> > > a root (if you've exploited apache with a remote exploit, and you
> > Yes, it helps nothing on that case.
> > The difference between starting a process (apache for example) as root
> > then dropping privileges, from starting as a user who can only bind to port
> > 80 (it has no other privileges) and then dropping that privilege is the
> > question "do you trust the daemon *really* dropped privileges?",
> I have to. When I don't believe in it I'm always able to check it.
> We still need to remember that there's a lot of daemons working as
> root as long as they're running. When my daemon is dropping priviledges
> I'm just more sure about my host's security. If we're providing
> "uid 80 can bind to tcp port 80" we need to remember, that there's
> not only Apache in the wild and some servers could need a root all the time.
> 
> > I just don't see any need to run so many things as "root" just because they
> > need to bind to privileged ports.
> Well, if somebody really need this let's build it as a module or a
> kernel patch ;)
> 
> --
> [ Wojtek gminick Walczak ][ http://hacker.pl/gminick/ ]
> [ gminick (at) hacker.pl ][ gminick (at) klub.chip.pl ]

Next message: Charles 'core' Stevenson: "Re: Google lists vulnerable sites."
Previous message: Kurt Seifried: "Re: Google lists vulnerable sites."
In reply to: gminick: "Re: Ports 0-1023?"
Next in thread: Michal Zalewski: "Re: Ports 0-1023?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 05 2002 - 22:56:55 PDT