Re: Got root?

To: Andres Salomon <dilinger@mp3revolution.net>
Cc: Sunny Dubey <dubeys@voyager.bxscience.edu>, debian-security@lists.debian.org
Subject: Re: Got root?
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 01 May 2001 11:25:49 +0100
Message-id: <87oftd9xhu.fsf@straw.pigsty.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <20010501054854.A2793@mp3revolution.net> (Andres Salomon's message of "Tue, 1 May 2001 05:48:54 -0400")
References: <01042907190600.00703@kiwi> <20010501054854.A2793@mp3revolution.net>

Andres Salomon <dilinger@mp3revolution.net> writes:

> Perhaps I'm misunderstanding your proposition, but how is this different
> than, say, having inetd listen on ports below 1024, and then
> forking/changing to a different user once a connection is made to the
> port?

The current method you describe was vulnerable to bugs concerning setuid(),
as per the 2.2.15->16 bug found by sendmail - having come from root and
called stuid() to become someone else, it was still possible to return to
being root, at which point you have a root daemon running on a port: Bad.

If you do it via capabilities in the first place, you never need to have
*been* root in order to bind to the low port.

(This is only half a solution, though: you're preventing them exploiting
root by changing to use capabilities; what if they're out to exploit
capabilities instead of merely `get root'? Still, it'd buy us some time...)

~Tim
-- 
Newton and Adam, lost and found,            |piglet@stirfried.vegetable.org.uk
The apple must fall to the ground           |http://spodzone.org.uk/

Reply to:

Follow-Ups:
- Re: Got root?
  - From: Andres Salomon <dilinger@mp3revolution.net>

References:
- Re: Got root?
  - From: Andres Salomon <dilinger@mp3revolution.net>

Prev by Date: Re: Got root?
Next by Date: Re: Got root?
Previous by thread: Re: Got root?
Next by thread: Re: Got root?
Index(es):
- Date
- Thread