Re: Ports 0-1023?

[Brian Hatch <vuln-dev () ifokr org>]

> Is there any point in needing to be root in order to allocate the low ports 
> on unix-like systems, anymore?  Could we get away from having to have some 
> daemons even have a root stub in order to listen on a low port?  What would 
> break, and what new holes would be created?  Could some sort of port ACL 
> simply be used that says a particular UID can allocate a particular range 
> of ports?

Root-only low numbered ports offers me the following assurances:

        * when I connect with ssh/telnet/ftp/pop/imap/anything that requires
                authentication, I know that I am talking to a process
                that was started by root.  I should feel comfortable
                giving my password because I know it wasn't a user
                process that's listening.  Imagine if there were a bug
                to crash an ssh server, and a local user killed it off
                and then started his own ssh service to snag passwords,
                and complaining with an error to the client.  After a
                while there are a few passords stolen, the user stops
                the password snagger, and root starts up sshd again.
                No one's the wiser.

                These process require root privs at some point anyway,
                however, or at least CAP_SYS_CHROOT to be able to change
                the UID to the target user, so this may not be an issue.

        * connections coming from <1024 are assumed to be from the
                root on the client.  This allows such nicities as host-based
                authentication for the r-services, poorly configured SSH
                servers, etc.  Is there anything that actually uses
                this any more?  rsh/rlogin/etc are dead, SSH allows
                host-based authentication using strong crypto with
                host keys, so the port it's coming could be irrelevant.


Those are the only two things that root-only low-bound ports grant us,
security wise, and the second is of almost irrelevant if not negative
value.


So would it be good to have host-specific configuration that allowed
only specific users or programs the ability to bind a low port?  That
wouldn't be bad.  You can already do this with LIDS (grant a specific
program [based on device/inode]) the Linux capability to bind only
a specific port or ports below 1024, letting you have much more
fine-grained local restrictions.

So if you implement something like this, the burden is on the system
administrator to create the correct policy of port/user/program for
it to be secure.  Having the default be a free-for-all would probably
not be good lest users run their own password grabbers.

A local mistake in that policy means you leave users who connect to
your machine at risk.  But an administrator that does this is likely
to be running an old vulnerable version of the software as well anyway.

Short answer: root-only ports not really needed any more.


--
Brian Hatch                  "Is there a Lawyer
   Systems and                  in the House?"
   Security Engineer          **BLAM!**
http://www.ifokr.org/bri/     "Any more?"

Every message PGP signed

Attachment: _bin
Description: