From owner-freebsd-hackers Sat Nov 23 18:59:14 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA24451 for hackers-outgoing; Sat, 23 Nov 1996 18:59:14 -0800 (PST) Received: from ocean.campus.luth.se (ocean.campus.luth.se [130.240.194.116]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA24444 for ; Sat, 23 Nov 1996 18:59:09 -0800 (PST) Received: (from karpen@localhost) by ocean.campus.luth.se (8.7.5/8.7.3) id EAA06738; Sun, 24 Nov 1996 04:07:57 +0100 (MET) From: Mikael Karpberg Message-Id: <199611240307.EAA06738@ocean.campus.luth.se> Subject: Re: non-root users binding to ports < 1024 To: imp@village.org (Warner Losh) Date: Sun, 24 Nov 1996 04:07:57 +0100 (MET) Cc: freebsd-hackers@freebsd.org In-Reply-To: from Warner Losh at "Nov 23, 96 03:50:12 pm" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Warner Losh: > In message > Marc Slemko writes: [...] > : I see little room for bugs in the kernel implementation of non-root users > : binding to ports <1024; there is lots of room for problems in the use of > : such a feature by programs, but that is really a different issue; > : probably more important, but different and far more involved. [Why not have a inetd like thing which does setuid and forks?] > Maybe I've missed something here... I don't see a compelling need for > this facility in the kernel, at least for the most common cases that > I've seen examples for. I can imagine complex programs desiring some > way to bind mutliple ports, or not have to exit to get back into the > swing of things. > > I'll leave the design issues of sendmail alone as well :-).... I might be wrong, but doesn't rlogin for example bind to a port < 1024 on OUTGOING connections, to make itself trustworthy? It's setuid root, and could be just setuid bindlow or some other normal user, that would just have one extra permission: To bind to all ports < 1024, special sensitive ports excluded. I'm user more programs then rlogin could use that user also. If someone exploits a security hole in rlogin, they don't get as big an advantage, since they can only bind to port < 1024, and none of the really "interesting" ones (telnetd, rlogind, ftpd, etc). As I see it, any unneccesary priviliges to setuid programs is just asking for trouble. Now the question: How do we implement such a feature? I don't know exactly how IPFW works, but wouldn't we do about the same thing with this feature (I'm guessing ipfw reads commandline data and uses it for a sysctl)? like: /sbin/ipport add deny nobody tcp 1-65000, udp 1-65000 /sbin/ipport add allow bindlow 30+ except 80, 113, 111, 510-515 /sbin/ipport add allow smtpuser 25 (Hmm... I don't know... hope you get my meaning :) This would even allow us to override the default "allow 1024-65000" for some users. Maybe also add interface? So that you can allow someone to bind any ports on an interface which his client machine can connect to, or so. I can see some interesting uses for a feature like this. Anyone else? /Mikael