From owner-freebsd-security  Thu Jul  2 09:05:21 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA18240
          for freebsd-security-outgoing; Thu, 2 Jul 1998 09:05:21 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (nsmart@ts01-55.waterford.indigo.ie [194.125.139.118])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA18214
          for <security@FreeBSD.ORG>; Thu, 2 Jul 1998 09:05:08 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id QAA00294;
	Thu, 2 Jul 1998 16:56:14 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199807021556.QAA00294@indigo.ie>
Date: Thu, 2 Jul 1998 16:56:14 +0000
In-Reply-To: Poul-Henning Kamp <phk@critter.freebsd.dk>
       "Re: bsd securelevel patch question" (Jul  2,  5:35pm)
Reply-To: rotel@indigo.ie
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Poul-Henning Kamp <phk@critter.freebsd.dk>, rotel@indigo.ie
Subject: Re: bsd securelevel patch question
Cc: "Allen Smith" <easmith@beatrice.rutgers.edu>, dg@root.com,
        security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net,
        abc@ralph.ml.org, tqbf@secnet.com
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jul 2,  5:35pm, Poul-Henning Kamp wrote:
} Subject: Re: bsd securelevel patch question
>
> >I still agree with you for other reasons though, if an attacker
> >creates a new service people might use it even though it isn't a
> >legitimate service setup my the sysadmin.
> 
> Right, but if the attacker has hacked your system enough to bind
> to a socket < 1024, he >OWNS< it.  Any further attempt at adding
> security is bogus, and can at best OPEN the window more because
> you will be adding more complexity, rather than subtract from it.

Thats not true, if he hacks the user/group that the web server runs
at then he only owns the web server, the only additional priviledge
he gains is the ability to bind to port 80.

Niall

-- 
Niall Smart.        PGP: finger njs3@motmot.doc.ic.ac.uk
FreeBSD: Turning PC's into Workstations: www.freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message