On Mon, Apr 30, 2001 at 08:04:50PM -0400, Jacob Kuntz wrote: > > Why does UNIX continue to give root access to all deamons below port 1024? > > Other way around. In order to bind to ports <1024 a process must have uid 0. on linux 2.2 and later this is wrong, see below. > Interesting idea. I had been wondering how long it would be before (if ever) > network interfaces, protocols, and ports would be represented as objects > under devfs, allowing for permissions to be applied there. someone once suggested that ports be displayed under /proc and allow thier permissions/owners to be changed thus allowing non-root users to bind to them. it was shot down as a bad idea in the end. at least partly because there is already a better method for this, and its available in 2.2 and 2.4 kernels: capabilities. under linux its NOT uid=0 that grants the ability to bind to privileged ports, its capability bit 10, or the CAP_NET_BIND_SERVICE capability. any process with this capability may bind to privileged ports, regardless of uid. currently only uid=0 simply has all capabilities enabled. there is software (such as iirc a capability aware start-stop-daemon) that will drop all unecessary capabilities, change uids, and start a daemon, leaving only the cap it needs to run properly. as it is many daemons don't really need this, bind for example can bind to the port as root, then drop all root privileges. the time when this doesn't work is if the interface changes and bind needs to rebind to a new address, it can't since it dropped its privileges. under a capability model bind would do the same thing it does now, dropping root and all capabilities except CAP_NET_BIND_SERVICE so it can rebind to port 53 at any time. ironically this is slightly less secure in this context -- if bind is compromised it could in thoery attempt to bind to port 22 or something and snatch passwords, it would of course need to somehow dispose of the running sshd process... eventually there may be capability bits in the filesystem allowing things like /bin/ping to no longer be setuid root, but instead have the CAP_NET_RAW capability bit turned on. this way it runs unprivileged except for being allowed to open raw sockets. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpKGQIhxXjIn.pgp
Description: PGP signature