RE: Ports 0-1023?

[Michael Wojcik <Michael.Wojcik () microfocus com>]

> From: Kevin Easton [mailto:s3159795 () student anu edu au]
> Sent: Saturday, July 06, 2002 10:07 AM

> I think rather than a proliferation of filesystem "setcap" bits for
> executables, it's likely that a program would remain setuid root, but 
> drop all unneeded capabilities as it's first task when run (ie, ping
> would drop all capabilities except CAP_NET_RAW).

Note, though, that this design creates new possibilities for security
programming errors.  Programmers used to the I-can-do-anything environment
of traditional uid-0 execution, or programmers updating code written with
that assumption, may unwittingly create new exposures by preventing a
program from operating normally.  It's similar to the kind of exposure that
occasionally crops up in a privileged program that doesn't check the return
code from a system call it assumes will always succeed.

I think it was IBM's Julie Haugh who pointed that out to me in a discussion
of AIX's "setpriv" syscall on comp.unix.aix some years ago.

That said, I'd prefer to see programs that retain only the specific
privileges they need - but we need to remember that it's a different
programming model than traditional uid-0 and requires care.

Michael Wojcik
Principal Software Systems Developer, Micro Focus
Department of English, Miami University