Re: ftpd: the advisory version

[smb () RESEARCH ATT COM (Steven M. Bellovin)]

In message <20000624091756.28153.qmail () fiver freemessage com>, Lamagra Argamal
writes:

> Last thing, I've been thinking about the general ftp protocol and there is onl
> y 1 reason why it should run as root after authentication. Namely to bind the
> dataconnection to port <ftpport - 1> (mostly 20). And we all know high ports r
> equire root priviledges for binding.
> Couldn't you change it to bind to the port at startup.
> This would require some other changes to prevent DoS etc
> But it should be possible, after that the daemon can just drop all priviledges
> after authentication. Giving an attacker nothing.

In "Firewalls and Internet Security", Bill Cheswick and I outlined an
implementation technique that could avoid the problem.  Specifically,
we invoked a small, stupid, setuid-root program that, when passed a
socket on port 21, bound another socket to port 20.  Many other
variants on that scheme are possible, especially if passing file
descriptors across pipes or UNIX domain socket pairs works on your
system.

                --Steve Bellovin