Firewall Wizards mailing list archives
Re: Ports and privileges
From: tqbf () secnet com
Date: Fri, 20 Feb 1998 22:40:43 -0600 (CST)
Chris Pugrud on Feb 20 1998
Why do they need to run as root? The primary reasons seems to be so that they can open privileged ports.
Well, this is the primary reason that the rcmd() programs are SUID, but certainly not the leading cause of SUIDness. To answer your questions: - It is very easy to modify your TCP/IP drivers to allow arbitrary processes to bind privileged ports; all you're doing is getting rid of a special case. - Some operating systems already allow you to effectively do this by making the range of privileged ports configurable. - Allowing arbitrary processes to bind privileged ports is a bad thing. It's not just that it breaks rsh/rlogin; it allows arbitrary programs to claim arbitrary ports, which can allow an attacker to, say, masquerade as telnetd and capture passwords. Some operating systems have extended the privileged ports to things like 2049 for exactly this reason. - However, forcing programs that need privileged ports to run SUID root, even for the few lines of code until the port is actually bound (remember crt0.c in FreeBSD?) is wrong too. On systems that do not use rlogin/rsh, the privilege of being able to bind a privileged port is not equivalent to root (although the ability to kill an arbitrary program in conjunction with that privilege may be). - I proposed to the FreeBSD project about a year ago that they make the UID/GID requirement for privileged ports configurable, so rsh/rlogin could run as group "network" instead of root. I also supplied patches, which you can find by searching the mailing lists at freebsd.org for "privileged ports" (there's also a patch I did there to make raw sockets configurable too). They never integrated this into the code. You're right, you're not the first person to think of this, and it's a very easy fix. The primary thing keeping FreeBSD and Linux from doing this is, I suspect, the expectation that it will break rlogin/rsh, which are still in common use today. However, there's no reason not to REDUCE the amount of privilege required to obtain a restricted port, rather than eliminate it entirely, and I don't know why this hasn't been done. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Ports and privileges Chris Pugrud (Feb 20)
- Re: Ports and privileges James W. Abendschan (Feb 24)
- Re: Ports and privileges tqbf (Feb 25)
- Re: Ports and privileges James W. Abendschan (Feb 25)
- Re: Ports and privileges tqbf (Feb 25)
- Re: Ports and privileges Bernhard Schneck (Feb 27)
- Re: Ports and privileges tqbf (Feb 28)
- Re: Ports and privileges James W. Abendschan (Feb 27)
- Re: Ports and privileges tqbf (Feb 25)
- Re: Ports and privileges James W. Abendschan (Feb 24)
- <Possible follow-ups>
- Re: Ports and privileges tqbf (Feb 21)
- Re: Ports and privileges Darren Reed (Feb 21)
- Re: Ports and privileges tqbf (Feb 21)
- Re: Ports and privileges Vinci Chou (Feb 24)
- Re: Ports and privileges Bret McDanel (Feb 25)
- Re: Ports and privileges tqbf (Feb 27)
- Re: Ports and privileges Doug Hughes (Feb 27)
- Re: Ports and privileges Joseph S. D. Yao (Feb 27)
- Re: Ports and privileges Darren Reed (Feb 21)
- Re: Ports and privileges tqbf (Feb 24)
- Re: Ports and privileges John Lines (Feb 25)