Re: Ports 0-1023?

["Kurt Seifried" <bugtraq () seifried org>]

> Is there any point in needing to be root in order to allocate the low
ports
> on unix-like systems, anymore?  Could we get away from having to have some
> daemons even have a root stub in order to listen on a low port?  What
would
> break, and what new holes would be created?  Could some sort of port ACL
> simply be used that says a particular UID can allocate a particular range
> of ports?

Well. Let's say you don't need to be root anymore.

Hey look at me, I'm the webserver! Or the email server, or the ftp server.
or the NFS server.......

If I can down a service (remote/local DoS), or wait for it to be restarted
(like to reload configuration or some other automated interuption) I can be
that service. Kind of scary IMHO.

Now if you're talking about assigning a UID or GID to "own" the port that's
a different story, however I fear people doing well intentioned, but stupid
things like assigning it to "nobody". This capability already exists in many
systems, Argus Pitbull (for Solaris) and Pitbull LX (for Linux), NSA
SELinux, and so on.

Personally I like Solaris' ability to assign high ports to require root,
this is nice for NFS (2049) and other related systems (has to run as root
anyways, well unless you got some really crazy user-daemon nfs =).

Plus with privilege seperation (OpenSSH, Postfix, Apache, etc.) there is
very little to worry about in most cases, done properly these things are not
terribly dangerous (ok, ignoring last week ....=).

I wrote an article about this ages ago, but cannot find it, and of course
securityportal.com is no more, ohwell.

> Discuss.
>
> BB

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.iDefense.com/