Re: Got root?

To: debian-security@lists.debian.org
Subject: Re: Got root?
From: Ethan Benson <erbenson@alaska.net>
Date: Mon, 30 Apr 2001 18:57:37 -0800
Message-id: <20010430185737.A891@plato.local.lan>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <20010430200448.A12931@arrakis.lucidpark.net>; from jpk@cape.com on Mon, Apr 30, 2001 at 08:04:50PM -0400
References: <01042907190600.00703@kiwi> <20010430200448.A12931@arrakis.lucidpark.net>

On Mon, Apr 30, 2001 at 08:04:50PM -0400, Jacob Kuntz wrote:
> > Why does UNIX continue to give root access to all deamons below port 1024?
> 
> Other way around. In order to bind to ports <1024 a process must have uid 0.

on linux 2.2 and later this is wrong, see below.

> Interesting idea. I had been wondering how long it would be before (if ever)
> network interfaces, protocols, and ports would be represented as objects
> under devfs, allowing for permissions to be applied there.

someone once suggested that ports be displayed under /proc and allow
thier permissions/owners to be changed thus allowing non-root users to
bind to them.  it was shot down as a bad idea in the end.  

at least partly because there is already a better method for this, and
its available in 2.2 and 2.4 kernels: capabilities.  

under linux its NOT uid=0 that grants the ability to bind to
privileged ports, its capability bit 10, or the CAP_NET_BIND_SERVICE
capability.  any process with this capability may bind to privileged
ports, regardless of uid.  currently only uid=0 simply has all
capabilities enabled.  there is software (such as iirc a capability
aware start-stop-daemon) that will drop all unecessary capabilities,
change uids, and start a daemon, leaving only the cap it needs to run
properly.  

as it is many daemons don't really need this, bind for example can
bind to the port as root, then drop all root privileges.  the time
when this doesn't work is if the interface changes and bind needs to
rebind to a new address, it can't since it dropped its privileges.
under a capability model bind would do the same thing it does now,
dropping root and all capabilities except CAP_NET_BIND_SERVICE so it
can rebind to port 53 at any time.  ironically this is slightly less
secure in this context -- if bind is compromised it could in thoery
attempt to bind to port 22 or something and snatch passwords, it would
of course need to somehow dispose of the running sshd process...  

eventually there may be capability bits in the filesystem allowing
things like /bin/ping to no longer be setuid root, but instead have
the CAP_NET_RAW capability bit turned on.  this way it runs
unprivileged except for being allowed to open raw sockets.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpKGQIhxXjIn.pgp
Description: PGP signature

Reply to:

References:
- Got root?
  - From: Sunny Dubey <dubeys@voyager.bxscience.edu>
- Re: Got root?
  - From: jpk@cape.com (Jacob Kuntz)

Prev by Date: Re: Got root?
Previous by thread: Re: Got root?
Next by thread: Re: Got root?
Index(es):
- Date
- Thread