Re: Got root?

To: Sunny Dubey <dubeys@voyager.bxscience.edu>
Cc: debian-security@lists.debian.org
Subject: Re: Got root?
From: armitage@freaks.com (Brandon High)
Date: Tue, 1 May 2001 16:41:10 -0700
Message-id: <20010501164110.D5718@freaks.com>
Mail-followup-to: Sunny Dubey <dubeys@voyager.bxscience.edu>, debian-security@lists.debian.org
In-reply-to: <01042907190600.00703@kiwi>; from dubeys@voyager.bxscience.edu on Sun, Apr 29, 2001 at 07:19:06AM -0400
References: <01042907190600.00703@kiwi>

On Sun, Apr 29, 2001 at 07:19:06AM -0400, Sunny Dubey wrote:
> 
> I know that UNIX does it so that normal users can't seem like legit and 
> important services, but there surely must be some better way of delegating a 
> port below 1024 to a deamon.

*DISCLAIMER* I do not know exactly what I'm talking about. Large grains of
salt recommended to aid in digestion.

To the best of my knowledge, root access is only required in order to bind
to a priveledged port. A process does not need to be running as root in
order to communicate using a priveledged port. I believe that this
restriction is in place so that a daemon running on a priveledged port not
only has to have access to the port, but can be protected by stricter access
on a system (eg: having the binaries 0500 and owned root:root.) It's
conceivable (to me at least) that a non-root owned file could be compromised
by another non-root process, but with your proposal it would still be
allowed to bind to a port.

A good example of execute and chuser is Apache. It has to be exectuted as
root, but imediately chuser's to non-root once binding. I suppose there is
some risk involved in this scheme, but I'm too caffiene-addled to think of
anything now.

inetd should probably be (or has been?) re-written such that it chuser's
before exec'ing to remove the dependency on the application acting in a
proper manner. I think all of us can agree that an application, especially a
daemon serviceing the unwashed masses on the net, should run with the
minimal permissions required to get the job done. ftp might be a problem,
since I believe all or most daemons run as root until the user is
authenticated, then chuser. (This is also where most of the security holes
in ProFTP, wu-ftp, and others arise.) Since we're dreaming pipe dreams, we
may as well hope for system call ACLs that would allow a non-root daemon
running as uid 'ftpd' to chuser to another non-root uid. I think that some
OS's have this ability.

Not everything uses inetd though. Other services (such as http) would still
be dependant on quality coding to avoid compromise.

Did I make any sense?

-- 
Brandon High                                     armitage@freaks.com
The careful application of terror is also a form of communication.

Reply to:

Follow-Ups:
- Re: Got root?
  - From: "Ken Seefried" <ken@seefried.com>

Prev by Date: Re: psuedonymity and apache
Next by Date: Re: Got root?
Previous by thread: Re: Got root?
Next by thread: Re: Got root?
Index(es):
- Date
- Thread