[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: socket-based activation has unmaintainable security?



Chow Loong Jin <hyperair@debian.org> writes:

> I think he's referring to allowing processes which require listening to
> a port under 1024 to run without superuser privileges. I believe our
> implementation on Debian (e.g. Apache) is to have the process start as
> root, start listening, and then setuid to an unprivileged user.

For INN, quite some time ago, I wrote a setuid helper program that did
nothing but bind the port for its parent process.  I know there are a few
other implementations of the same idea (I think Ian Jackson has a generic
one that's packaged in Debian).  I've always been surprised that more
long-running daemons that for one reason or another need to set up their
own listening ports don't use that technique.  I think it's more secure
than starting the whole complex daemon as root and then dropping
privileges.

It's not completely trivial, since you have to use two different
techniques depending on whether the OS uses BSD-style sockets or
STREAMS-style sockets (in BSD-style sockets you can bind in the child and
the parent sees the results, but with STREAMS-style sockets you pass the
file descriptor back to the parent), but it was only 219 lines of C
(without comments) for the helper program and another 30 or so for the
library to call it, and most of the helper program size is argument
parsing and verification.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>


Reply to: