Vulnerability Development mailing list archives

Re: Ports 0-1023?

From: Bruno Morisson <morisson () genhex org>
Date: Fri, 5 Jul 2002 00:55:20 +0000

On Thursday 04 July 2002 20:31, gminick wrote:

On Thu, Jul 04, 2002 at 06:54:05PM +0100, Bruno Morisson wrote:

 Example, uid 80 can bind to tcp port 80.

It leads us to build more static and more complicated systems.
We're just trying to provide new situations where bugs can exist
and what we're trying to achieve isn't worthy...


Why do you say it would be more static ? I believe it would be much more 
flexible. As to new situations... It'd be really not a new situation. In that 
example uid 80 would be just like root... but unable to do all the other 
things root can :-) Don't think of it as giving privileges, but as taking 
them.

You start the httpd as that
user, and drop privileges by setting your uid to nobody (or apache, or
whatever). If the user exploits the daemon, it will be uid nobody (or
whatever), and in the worst case scenario, he will have uid 80, and
never uid 0.


Are you sure? I think that our new user changes nothing and there's
still a possibility of priviledges expansion from user nobody to
a root (if you've exploited apache with a remote exploit, and you
have a shell as user nobody you're able to try to exploit something
locally and get UID==0). Am I right ?


Yes, it helps nothing on that case.
The difference between starting a process (apache for example) as root 
then dropping privileges, from starting as a user who can only bind to port 
80 (it has no other privileges) and then dropping that privilege is the 
question "do you trust the daemon *really* dropped privileges?", and using a 
principle of "least privilege". If a process doesn't need certain privileges, 
_don't_ give them to it. Either you audit every daemon you run (if you have 
the source), or trust who wrote it (if you are unable to audit for lack of 
skills/time/source), or don't let it run *ever* as root just because it needs 
to bind to a "privileged" port, and minimize the risk.
I just don't see any need to run so many things as "root" just because they 
need to bind to privileged ports.

regards,
Bruno Morisson <morisson () genhex org>

Current thread:

Re: Ports 0-1023?, (continued)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
  - Re: Ports 0-1023? Sebastian Krahmer (Jul 05)
- Re: Ports 0-1023? robbe (Jul 04)
- Re: Ports 0-1023? Dave Aitel (Jul 04)
  - Re: Ports 0-1023? Michal Zalewski (Jul 04)
  - Re: Ports 0-1023? hicks (Jul 04)
- Re: Ports 0-1023? Juan M. Courcoul (Jul 04)
- Re: Ports 0-1023? Mark Ruth (Jul 04)
  - Re: Ports 0-1023? Bruno Morisson (Jul 04)
    - Re: Ports 0-1023? gminick (Jul 04)
    - Re: Ports 0-1023? Bruno Morisson (Jul 04)
    - Re: Ports 0-1023? gminick (Jul 05)
    - Re: Ports 0-1023? George W. Capehart (Jul 05)
- Ports 0-1023? alex (Jul 04)
  - Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Blue Boar (Jul 04)
  - Re: Ports 0-1023? Brian Hatch (Jul 04)
    - Re: Ports 0-1023? Blue Boar (Jul 04)
    - Re: Ports 0-1023? Brian Hatch (Jul 05)
    - Re: Ports 0-1023? Clint Byrum (Jul 05)
  - Re: Ports 0-1023? Robert Bihlmeyer (Jul 08)

(Thread continues...)