Bug#427605: ITP: privbind -- Allow unprivileged apps to bind to a privileged port
Russell Coker wrote:
> On Wednesday 06 June 2007 20:05, Shachar Shemesh <shachar@debian.org> wrote:
>
>>> What benefits does this offer over authbind which has been in Debian for
>>> ages?
>>>
Before I begin answering your questions, the bug report has a link to
technical explanation of how privbind is implemented. Have you read it?
>> It uses a (I think) much more secure mode of operation. In particular:
>> - No SUID executables
>> - User who launches the daemon must be root
>>
>
> Having a daemon instead of a SUID executable does not inherently make it more
> secure (there has been no shortage of exploits for bugs in daemons in the
> past).
>
s/daemon/program that needs low port binding/
privbind does not allow regular users to bind to low ports. Privbind
allows root to run program that bind to low port as non-root.
> The usual system is that a process with UID != 0 can not bind to ports below
> 1024. Breaking this involves increasing the privileges of some programs.
>
Please read the privbind man page. It does not do what you think it does.
>
>> And, as a result:
>> - No global configuration necessary (though one will probably be added
>> later if necessary).
>>
>
> How can there be no global configuration needed?
Please read the privbind man page. It does not do what you think it does.
> The sysadmin needs to decide
> which users are granted the privilege to bind to low ports and which ports
> those users may bind to.
>
Please read the privbind man page. It does not do what you think it does.
Shachar
Reply to: