Date: Thu, 2 Jul 1998 05:54:16 -0400 From: "Allen Smith" <easmith@beatrice.rutgers.edu> To: dg@root.com Cc: security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question Message-ID: <9807020554.ZM1570@beatrice.rutgers.edu> In-Reply-To: David Greenman <dg@root.com> "Re: bsd securelevel patch question" (Jul 2, 1:55am) References: <199807020855.BAA23399@implode.root.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 2, 1:55am, David Greenman (possibly) wrote: > Well, someone will have to convince me that delegating access on a port > by port basis is necessary in the first place. I'd personally be happy with > a simple privilege that allows binding to ports <1024. Daemon spoofing. Let's say I've set up a web server that binds to port I want to reduce the risks from this, so I (under your scheme) give the server a privilege that enables it to bind (I'm assuming binding for reception of incoming stuff only, given rsh et al) to any TCP port below 1024. Cracker notices that I've made a goof in writing a cgi script (or the author of the webserver has goofed), and proceeds to crack it such that he can run any arbitrary program under that uid, with that privilege (this will be the case if it's run as a uid instead of setuid). Now, run a program via cron on a very frequent basis that tries binding to the smtp, ssh, or other significant port not run through inetd. This enables mail interception for smtp, password interception for ssh, etcetera. With the exception of a syslog'd error message from the smtp program, this won't be spotted in that case if the cracker then uses sendmail's -bs flag, or the equivalent for other mail programs. Ssh is admittedly going to get spotted pretty soon, but one interception of the root password (or an interception of a password a person uses across systems) is going to be enough to create problems. There are probably other vulnerabilities that I haven't thought of; going off of the least privilege principle seems the best. -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9807020554.ZM1570>