Vulnerability Development mailing list archives
Re: Ports 0-1023?
From: Bruno Morisson <morisson () genhex org>
Date: Fri, 5 Jul 2002 00:55:20 +0000
On Thursday 04 July 2002 20:31, gminick wrote:
On Thu, Jul 04, 2002 at 06:54:05PM +0100, Bruno Morisson wrote:Example, uid 80 can bind to tcp port 80.It leads us to build more static and more complicated systems. We're just trying to provide new situations where bugs can exist and what we're trying to achieve isn't worthy...
Why do you say it would be more static ? I believe it would be much more flexible. As to new situations... It'd be really not a new situation. In that example uid 80 would be just like root... but unable to do all the other things root can :-) Don't think of it as giving privileges, but as taking them.
You start the httpd as that user, and drop privileges by setting your uid to nobody (or apache, or whatever). If the user exploits the daemon, it will be uid nobody (or whatever), and in the worst case scenario, he will have uid 80, and never uid 0.Are you sure? I think that our new user changes nothing and there's still a possibility of priviledges expansion from user nobody to a root (if you've exploited apache with a remote exploit, and you have a shell as user nobody you're able to try to exploit something locally and get UID==0). Am I right ?
Yes, it helps nothing on that case. The difference between starting a process (apache for example) as root then dropping privileges, from starting as a user who can only bind to port 80 (it has no other privileges) and then dropping that privilege is the question "do you trust the daemon *really* dropped privileges?", and using a principle of "least privilege". If a process doesn't need certain privileges, _don't_ give them to it. Either you audit every daemon you run (if you have the source), or trust who wrote it (if you are unable to audit for lack of skills/time/source), or don't let it run *ever* as root just because it needs to bind to a "privileged" port, and minimize the risk. I just don't see any need to run so many things as "root" just because they need to bind to privileged ports. regards, Bruno Morisson <morisson () genhex org>
Current thread:
- Re: Ports 0-1023?, (continued)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Sebastian Krahmer (Jul 05)
- Re: Ports 0-1023? robbe (Jul 04)
- Re: Ports 0-1023? Dave Aitel (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? hicks (Jul 04)
- Re: Ports 0-1023? Juan M. Courcoul (Jul 04)
- Re: Ports 0-1023? Mark Ruth (Jul 04)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
- Re: Ports 0-1023? gminick (Jul 04)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
- Re: Ports 0-1023? gminick (Jul 05)
- Re: Ports 0-1023? George W. Capehart (Jul 05)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Brian Hatch (Jul 04)
- Re: Ports 0-1023? Blue Boar (Jul 04)
- Re: Ports 0-1023? Brian Hatch (Jul 05)
- Re: Ports 0-1023? Clint Byrum (Jul 05)