Firewall Wizards mailing list archives
Re: Ports and privileges
From: tqbf () secnet com
Date: Fri, 20 Feb 1998 22:40:43 -0600 (CST)
Chris Pugrud on Feb 20 1998
Why do they need to run as root? The primary reasons seems to be so that they can open privileged ports.
Well, this is the primary reason that the rcmd() programs are SUID, but
certainly not the leading cause of SUIDness.
To answer your questions:
- It is very easy to modify your TCP/IP drivers to allow
arbitrary processes to bind privileged ports; all you're
doing is getting rid of a special case.
- Some operating systems already allow you to effectively do
this by making the range of privileged ports configurable.
- Allowing arbitrary processes to bind privileged ports is
a bad thing. It's not just that it breaks rsh/rlogin; it
allows arbitrary programs to claim arbitrary ports, which
can allow an attacker to, say, masquerade as telnetd and
capture passwords. Some operating systems have extended the
privileged ports to things like 2049 for exactly this reason.
- However, forcing programs that need privileged ports to run
SUID root, even for the few lines of code until the port is
actually bound (remember crt0.c in FreeBSD?) is wrong too.
On systems that do not use rlogin/rsh, the privilege of
being able to bind a privileged port is not equivalent to
root (although the ability to kill an arbitrary program in
conjunction with that privilege may be).
- I proposed to the FreeBSD project about a year ago that they
make the UID/GID requirement for privileged ports configurable,
so rsh/rlogin could run as group "network" instead of root.
I also supplied patches, which you can find by searching the
mailing lists at freebsd.org for "privileged ports" (there's
also a patch I did there to make raw sockets configurable too).
They never integrated this into the code.
You're right, you're not the first person to think of this, and it's a
very easy fix. The primary thing keeping FreeBSD and Linux from doing this
is, I suspect, the expectation that it will break rlogin/rsh, which are
still in common use today. However, there's no reason not to REDUCE the
amount of privilege required to obtain a restricted port, rather than
eliminate it entirely, and I don't know why this hasn't been done.
-----------------------------------------------------------------------------
Thomas H. Ptacek Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Ports and privileges Chris Pugrud (Feb 20)
- Re: Ports and privileges James W. Abendschan (Feb 24)
- Re: Ports and privileges tqbf (Feb 25)
- Re: Ports and privileges James W. Abendschan (Feb 25)
- Re: Ports and privileges tqbf (Feb 25)
- Re: Ports and privileges Bernhard Schneck (Feb 27)
- Re: Ports and privileges tqbf (Feb 28)
- Re: Ports and privileges James W. Abendschan (Feb 27)
- Re: Ports and privileges tqbf (Feb 25)
- Re: Ports and privileges James W. Abendschan (Feb 24)
- <Possible follow-ups>
- Re: Ports and privileges tqbf (Feb 21)
- Re: Ports and privileges Darren Reed (Feb 21)
- Re: Ports and privileges tqbf (Feb 21)
- Re: Ports and privileges Vinci Chou (Feb 24)
- Re: Ports and privileges Bret McDanel (Feb 25)
- Re: Ports and privileges tqbf (Feb 27)
- Re: Ports and privileges Doug Hughes (Feb 27)
- Re: Ports and privileges Joseph S. D. Yao (Feb 27)
- Re: Ports and privileges Darren Reed (Feb 21)
- Re: Ports and privileges tqbf (Feb 24)
- Re: Ports and privileges John Lines (Feb 25)