Re: Got root?
Perhaps I'm misunderstanding your proposition, but how is this different
than, say, having inetd listen on ports below 1024, and then
forking/changing to a different user once a connection is made to the port?
[root@incandescent drive2]# echo "finger stream tcp nowait nobody /usr/bin/id" >> /etc/inetd.conf
[root@incandescent drive2]# killall -HUP inetd
[root@incandescent drive2]# nc localhost finger
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
[root@incandescent drive2]#
On Sun, Apr 29, 2001 at 07:19:06AM -0400, Sunny Dubey wrote:
<snip>
>
> It would be like having a file called /etc/acl.ports (or something) and
> within the file, would be a list which binaries are allowed to bind to what
> ports. (an example is provided below)
>
> # /etc/acl.ports
> # Port Numbers binary
> 80 /usr/local/apache/bin/httpd
> 22 /usr/local/openssh/sshd
> 21 /usr/local/anonftpd/ftpd
>
> This way, not only would root have control over all ports below 1024, but the
> deamons themselves don't need to be running as root. (I also think that it
> would be very odd for a deamon _needing_ root access to run in the first
> place ...)
>
> Thanks for hearing me out. I could be very wrong on all of this. (Sorry if
> I am) I would just like to know why this hasn't been implemented in UNIX.
> (Actually, I did once hear about some patch to the LInux kernel that did
> something similar, but I have yet to find the patch)
>
> Sunny Dubey
> <insert funny-witty comment here>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
"... being a Linux user is sort of like living in a house inhabited
by a large family of carpenters and architects. Every morning when
you wake up, the house is a little different. Maybe there is a new
turret, or some walls have moved. Or perhaps someone has temporarily
removed the floor under your bed." - Unix for Dummies, 2nd Edition
-- found in the .sig of Rob Riggs, rriggs@tesser.com
Reply to: