Vulnerability Development mailing list archives
Re: Ports 0-1023?
From: Bruno Morisson <morisson () genhex org>
Date: Sun, 7 Jul 2002 20:18:13 +0000
On Saturday 06 July 2002 14:07, Kevin Easton wrote: (snip)
#define cap_raised(c, flag) (cap_t(c) & CAP_TO_MASK(flag)) ie, the cap_effective mask of the current task structure is checked against the requested capability. The capability checking code is all good to go - it only requires a creative way of selectively setting cap_effective to work. I think rather than a proliferation of filesystem "setcap" bits for executables, it's likely that a program would remain setuid root, but drop all unneeded capabilities as it's first task when run (ie, ping would drop all capabilities except CAP_NET_RAW). - Kevin.
I looked exactly into that some time ago. I coded a lkm that uses capabilites, but with a few more checks, so one can do something like what we've been discussing in this thread, that is, allowing "normal" users to bind to a specific port < 1024. Since the linux capabilities implementation only allows binding to *any* port < 1024, I had to make a few more checks, namely checking the port requested to bind to, and only raising CAP_NET_BIND_SERVICE if the port matches a defined ACL, otherwise it is denied. I won't go into much more detail here, so if anyone is interested i've put up the code on http://genhex.org/gksm.tgz. Read the "README" file included for more insight. Keep in mind that this is just example code, it lacks a lot of things (and it may even break your kernel), it was just coded to test if it could be done. I'm rewriting all of it, and putting a few more features in, and will release that code in the future. regards, Bruno Morisson <morisson () genhex org>
Current thread:
- Ports 0-1023? Blue Boar (Jul 04)
- Re: Ports 0-1023? Kurt Seifried (Jul 04)
- Re: Ports 0-1023? Charles 'core' Stevenson (Jul 04)
- Re: Ports 0-1023? Thomas Cannon (Jul 04)
- Re: Ports 0-1023? Charles 'core' Stevenson (Jul 05)
- Re: Ports 0-1023? Brian Hatch (Jul 05)
- Re: Ports 0-1023? Kevin Easton (Jul 06)
- Re: Ports 0-1023? Charles 'core' Stevenson (Jul 06)
- Re: Ports 0-1023? Bruno Morisson (Jul 07)
- Re: Ports 0-1023? Brian Hatch (Jul 08)
- Re: Ports 0-1023? Bruno Morisson (Jul 08)
- Re: Ports 0-1023? Charles 'core' Stevenson (Jul 04)
- Re: Ports 0-1023? Kurt Seifried (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Kent Crispin (Jul 04)