Vulnerability Development mailing list archives
Re: Ports 0-1023?
From: Martin Mačok <martin.macok () underground cz>
Date: Thu, 4 Jul 2002 09:30:45 +0200
On Thu, Jul 04, 2002 at 12:05:16AM -0700, Blue Boar wrote:
Is there any point in needing to be root in order to allocate the low ports on unix-like systems, anymore?
This was discussed some time ago on a tech () openbsd org (~2 years ago), it should be archived somewhere. IIRC: 1) This is the Unix way and we want to be compatible (bind port, drop root - easy) 2) The user which is able to bind low ports can bind a port when the service crashes or when it is being restarted by the administrator. So you still have to protect this special user/group (faked service or DoS is considered dangerous). 3) You still want to drop that special priviledge after binding that port, because when the service is compromised, the attacker gains power to bind low ports which means he is able to bind ports of other services (on crash/restart). (and remember - when you're not root, dropping priviledges is "harder" or even not possible) From a teoretical point of view - yes. Root is too much powerful and dangerous, some form of ACL's or capabilities would be better. (OR maybe just some special group). But this way you get system/service which is not Unix compatible, so you must maintain 2 versions - one for your system and one (insecure?) for the *nix. Anyway, inetd (xinetd/tcpserver) is a standard solution for that problem too. -- Martin Mačok http://underground.cz/ martin.macok () underground cz http://Xtrmntr.org/ORBman/
Current thread:
- Re: Ports 0-1023?, (continued)
- Re: Ports 0-1023? Kurt Seifried (Jul 04)
- Re: Ports 0-1023? Charles 'core' Stevenson (Jul 04)
- Re: Ports 0-1023? Thomas Cannon (Jul 04)
- Re: Ports 0-1023? Charles 'core' Stevenson (Jul 05)
- Re: Ports 0-1023? Brian Hatch (Jul 05)
- Re: Ports 0-1023? Kevin Easton (Jul 06)
- Re: Ports 0-1023? Charles 'core' Stevenson (Jul 06)
- Re: Ports 0-1023? Bruno Morisson (Jul 07)
- Re: Ports 0-1023? Brian Hatch (Jul 08)
- Re: Ports 0-1023? Bruno Morisson (Jul 08)
- Re: Ports 0-1023? Charles 'core' Stevenson (Jul 04)
- Re: Ports 0-1023? Kurt Seifried (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Kent Crispin (Jul 04)
- RE: Ports 0-1023? Michal Zalewski (Jul 04)