Re: Ports 0-1023?

[Michal Zalewski <lcamtuf () coredump cx>]

On Thu, 4 Jul 2002, [iso-8859-1] alex wrote:

> The assumption was that if the system administrator ran it, then it must
> be trustworthy). This thinking harks back to an era when SysAdmins were
> a select breed, not just any punk with a linux box. Nowaydays it has
> been realised that trusting any other machine, even on your home
> network, is naive (because it could have been subverted).

No, that's not really like that. If you have a server, you expect that
whatever is served on low ports (such as 80), is put there by the
administrator / the owner of this machine, and not by any of 1000 other
users that, say, pay them for mail accounts.

Simple as that. Of course, whole privilege system on a generic Unix is
badly outdated and insufficient, but for as long as you have to live with
it, this is the best you can get.

> So the extra risk run giving these daemons extra privilege is wasted, I
> think.

Many daemons would still have to keep root privileges. SSH, telnet, ftp,
pop3, Sendmail and many more would most likely require root at some point.
With many services, you could possibly force them to start with non-root
privileges, but I bet you would most likely break some stuff and open new
security problems (remember the Sendmail issue with setuid() failing on
Linux with broken capabilities?). Many services just assume they succeeded
with some things, since they should be running as root at this point. For
some system calls, semantics is different depending on uid, this may be
dangerous too.

I think it is easier to check whether given service actually successfully
dropped the privileges on your system.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/