Re: Got root?

To: dubeys@voyager.bxscience.edu
Cc: debian-security@lists.debian.org
Subject: Re: Got root?
From: Rich Puhek <rpuhek@etnsystems.com>
Date: Mon, 30 Apr 2001 19:02:59 -0500
Message-id: <3AEDFD32.82C6F72B@etnsystems.com>
References: <01042907190600.00703@kiwi>

Ummm.. you got it a bit backwards... UNIX does not *give* root access to
daemons below 1024... The program (not necessasarily a daemon) must HAVE
root access before it can bind to a port below 1024.

That said, you may be on to something. It sounds like a good idea to
me... but that doesn't necessarily mean anything.

--Rich


Sunny Dubey wrote:
> 
> Hi
> 
> I know that this might sound like a stupid question, but its one that has
> been bugging me.
> 
> Why does UNIX continue to give root access to all deamons below port 1024?
> 
> I know that UNIX does it so that normal users can't seem like legit and
> important services, but there surely must be some better way of delegating a
> port below 1024 to a deamon.
> 
> A while ago, I remember reading on slashdot about how TrustedBSD and OpenBSD
> were different from each other.  One of the differences was the fact that
> TrustedBSD used ACLs to give acccess to whatever for whomever.  Couldn't you
> essentially do the same for ports?  (Instead of giving access to files, you
> would give acces to ports)
> 
> It would be like having a file called /etc/acl.ports (or something) and
> within the file, would be a list which binaries are allowed to bind to what
> ports.  (an example is provided below)
> 
> # /etc/acl.ports
> # Port Numbers               binary
> 80      /usr/local/apache/bin/httpd
> 22          /usr/local/openssh/sshd
> 21         /usr/local/anonftpd/ftpd
> 
> This way, not only would root have control over all ports below 1024, but the
> deamons themselves don't need to be running as root.  (I also think that it
> would be very odd for a deamon _needing_ root access to run in the first
> place ...)
> 
> Thanks for hearing me out.  I could be very wrong on all of this.  (Sorry if
> I am)  I would just like to know why this hasn't been implemented in UNIX.
> (Actually, I did once hear about some patch to the LInux kernel that did
> something similar, but I have yet to find the patch)
> 
> Sunny Dubey
> <insert funny-witty comment here>
> 

-- 

_________________________________________________________
                         
Rich Puhek               
ETN Systems Inc.         
_________________________________________________________

Reply to:

References:
- Got root?
  - From: Sunny Dubey <dubeys@voyager.bxscience.edu>

Prev by Date: Got root?
Next by Date: Re: Got root?
Previous by thread: Got root?
Next by thread: Re: Got root?
Index(es):
- Date
- Thread