Re: Default DENY with ipchains

To: Steve Bowman <sbowman@frostwork.net>
Cc: debian-firewall@lists.debian.org
Subject: Re: Default DENY with ipchains
From: James Antill <james@and.org>
Date: 20 Oct 2000 19:28:11 -0400
Message-id: <[🔎] nn3dhr6qk4.fsf@code.and.org>
In-reply-to: Steve Bowman's message of "Thu, 19 Oct 2000 18:30:21 -0700"
References: <[🔎] 000b01c03a10$8f514690$0200a8c0@aub.dk> <[🔎] nn66moxxn2.fsf@code.and.org> <[🔎] 20001019183021.A12550@frostwork.net>

Steve Bowman <sbowman@frostwork.net> writes:

> On Thu, Oct 19, 2000 at 06:40:49PM -0400, James Antill wrote:
> > "Srebrenko Sehic" <haver@aub.dk> writes:
> > 
> > > Hello
> > > 
> > > Is is possible to prevent ordinary users from opening unprivliged ports
> > > (>1024 tcp/udp)? If yes, how?
> > > 
> > > I've tried virtually every possible way to do this, but with no luck.
> > 
> >  As far as I know you can't do it with firewall rules.
> >  However you could _try_ just changing PROT_SOCK in
> > linux/include/net/sock.h from 1024 to 65535.
> 
> It'll work, that's the right define (I didn't check),

 Yeh I knew it was the right define, but I wondered if connect's
automatic "bind" would use this as well. I'd assume not ... but I
might be wrong.

>                                                       but it's not very
> smart - not the suggestion from James, the original poster's idea.

 I'd agree it isn't a good idea, if you don't trust users on your box
then you're probably going to be "owned" anyway -- esp. if they can
compiled programs.

> This will prevent an ordinary user from running X or telnet or ftp
> or anything that uses networking at all (which even some apparently
> local-only programs use).

 X should be OK as long as you pass "-nolisten tcp" to the X server
(bottom of /etc/gdm/gdm.conf), which I do anyway (use ssh if you want
remote connections). Actaully X is root anyway, so that shouldn't
matter.

 As far as I know "telnet" _should_ be ok as I think that PROT_SOCK is
only used for explicit calls from bind() ... however I might be wrong,
in which case just hack inet_bind() in linux/src/net/ipv4/af_inet.c
(and ipv6/af_inet6.c if you use that). ftp could be a problem, if you
can't configure it for pasive mode.

>                            Everything using networking will have to be
> run as root.  Now you have to consider if any such program is secure
> to run as root.  Running them as an ordinary user is safer.  That is,
> you're probably not increasing security, but decreasing it.

 Almost all my network daemons are running as root anyway though (at
least when they do the bind() they are, because they are usually
getting things below 1024 anyway).

> Steve Bowman  <sbowman@frostwork.net> (preferred)
> Buckeye, AZ   <sbowman@goodnet.com> <bowmanc@acm.org>
>               <http://www.goodnet.com/~sbowman/>

You did the bowman wm ?

-- 
James Antill -- james@and.org
"If we can't keep this sort of thing out of the kernel, we might as well
pack it up and go run Solaris." -- Larry McVoy.

Reply to:

Follow-Ups:
- Re: Default DENY with ipchains
  - From: Steve Bowman <sbowman@frostwork.net>

References:
- Default DENY with ipchains
  - From: "Srebrenko Sehic" <haver@aub.dk>
- Re: Default DENY with ipchains
  - From: James Antill <james@and.org>
- Re: Default DENY with ipchains
  - From: Steve Bowman <sbowman@frostwork.net>

Prev by Date: Re: Setting up firewall on 2 interface within same subnet?
Next by Date: Re: Default DENY with ipchains
Previous by thread: Re: Default DENY with ipchains
Next by thread: Re: Default DENY with ipchains
Index(es):
- Date
- Thread