Re: Got root?

To: Andres Salomon <dilinger@mp3revolution.net>
Cc: Sunny Dubey <dubeys@voyager.bxscience.edu>, debian-security@lists.debian.org
Subject: Re: Got root?
From: Adam Olsen <adamolsen@technologist.com>
Date: Tue, 1 May 2001 10:11:45 +0000
Message-id: <20010501101145.A2861@rhamphoryncus.dyndns.org>
In-reply-to: <20010501054854.A2793@mp3revolution.net>; from dilinger@mp3revolution.net on Tue, May 01, 2001 at 05:48:54AM -0400
References: <01042907190600.00703@kiwi> <20010501054854.A2793@mp3revolution.net>

On Tue, May 01, 2001 at 05:48:54AM -0400, Andres Salomon wrote:
> Perhaps I'm misunderstanding your proposition, but how is this different
> than, say, having inetd listen on ports below 1024, and then
> forking/changing to a different user once a connection is made to the port?
> 

To use inetd, a new process is spawned for each connection, and the
daemon has to be written to use identd.  With his, it's just like
opening on a port above 1024.

Although my personal opinion is that it should be controled via
user/group, not binary.  eg, your webserver user can open port 80.

> 
> 
> On Sun, Apr 29, 2001 at 07:19:06AM -0400, Sunny Dubey wrote:
> <snip>
> > 
> > It would be like having a file called /etc/acl.ports (or something) and 
> > within the file, would be a list which binaries are allowed to bind to what 
> > ports.  (an example is provided below)
> > 
> > # /etc/acl.ports
> > # Port Numbers               binary
> > 80      /usr/local/apache/bin/httpd
> > 22          /usr/local/openssh/sshd
> > 21         /usr/local/anonftpd/ftpd

-- 
Adam Olsen, aka Rhamphoryncus

Reply to:

Follow-Ups:
- Re: Got root?
  - From: Andres Salomon <dilinger@mp3revolution.net>

References:
- Re: Got root?
  - From: Andres Salomon <dilinger@mp3revolution.net>

Prev by Date: Re: Got root?
Next by Date: Re: Got root?
Previous by thread: Re: Got root?
Next by thread: Re: Got root?
Index(es):
- Date
- Thread