Vulnerability Development mailing list archives

Re: Ports 0-1023?

From: "George W. Capehart" <gwc () capehassoc com>
Date: Sat, 06 Jul 2002 11:23:03 +0800

gminick wrote:


<snip>

Because you need to add dozens of users (httpd, telnetd) to your
passwd file if you want to build a system where separated users
are running processes and if you want that: "Example, uid 80 can bind to
tcp port 80" to work you need to add some strage directives to your
kernel.


NO!  This is the problem that role-based access control (RBAC) is
designed to deal with.  It is beyond the scope of this email to go into
detail about it, but there are OSs (Solaris, for example) and OS add-ins
like ACF/RACF, Tivoli, etc. that implement it.  It's not *that* hard to
implement policies that say what roles can open what ports.  Then, it's
administration to manage the database that maps users to roles . . .

example uid 80 would be just like root... but unable to do all the other
things root can :-) Don't think of it as giving privileges, but as taking
them.

Ok, I understand that, but I can't find out what's wrong with running
(for example) apache from root (it's usually done by /etc/rc.d/ scripts)
and dropping priviledges right after bind()ing.

Are you sure? I think that our new user changes nothing and there's
still a possibility of priviledges expansion from user nobody to
a root (if you've exploited apache with a remote exploit, and you

Yes, it helps nothing on that case.
The difference between starting a process (apache for example) as root
then dropping privileges, from starting as a user who can only bind to port
80 (it has no other privileges) and then dropping that privilege is the
question "do you trust the daemon *really* dropped privileges?",

I have to. When I don't believe in it I'm always able to check it.
We still need to remember that there's a lot of daemons working as
root as long as they're running. When my daemon is dropping priviledges
I'm just more sure about my host's security. If we're providing
"uid 80 can bind to tcp port 80" we need to remember, that there's
not only Apache in the wild and some servers could need a root all the time.

I just don't see any need to run so many things as "root" just because they
need to bind to privileged ports.

Well, if somebody really need this let's build it as a module or a
kernel patch ;)

--
[ Wojtek gminick Walczak ][ http://hacker.pl/gminick/ ]
[ gminick (at) hacker.pl ][ gminick (at) klub.chip.pl ]

Current thread:

Re: Ports 0-1023?, (continued)
- Re: Ports 0-1023? robbe (Jul 04)
- Re: Ports 0-1023? Dave Aitel (Jul 04)
  - Re: Ports 0-1023? Michal Zalewski (Jul 04)
  - Re: Ports 0-1023? hicks (Jul 04)
- Re: Ports 0-1023? Juan M. Courcoul (Jul 04)
- Re: Ports 0-1023? Mark Ruth (Jul 04)
  - Re: Ports 0-1023? Bruno Morisson (Jul 04)
    - Re: Ports 0-1023? gminick (Jul 04)
    - Re: Ports 0-1023? Bruno Morisson (Jul 04)
    - Re: Ports 0-1023? gminick (Jul 05)
    - Re: Ports 0-1023? George W. Capehart (Jul 05)
- Ports 0-1023? alex (Jul 04)
  - Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Blue Boar (Jul 04)
  - Re: Ports 0-1023? Brian Hatch (Jul 04)
    - Re: Ports 0-1023? Blue Boar (Jul 04)
    - Re: Ports 0-1023? Brian Hatch (Jul 05)
    - Re: Ports 0-1023? Clint Byrum (Jul 05)
  - Re: Ports 0-1023? Robert Bihlmeyer (Jul 08)
    - Re: Ports 0-1023? Blue Boar (Jul 08)
    - Re: Ports 0-1023? Robert Bihlmeyer (Jul 08)

(Thread continues...)