From owner-freebsd-security  Fri Jul  3 02:47:56 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA24545
          for freebsd-security-outgoing; Fri, 3 Jul 1998 02:47:56 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA24524
          for <security@FreeBSD.ORG>; Fri, 3 Jul 1998 02:47:45 -0700 (PDT)
          (envelope-from easmith@beatrice.rutgers.edu)
Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id FAA08315; Fri, 3 Jul 1998 05:41:03 -0400 (EDT)
From: "Allen Smith" <easmith@beatrice.rutgers.edu>
Message-Id: <9807030541.ZM8314@beatrice.rutgers.edu>
Date: Fri, 3 Jul 1998 05:41:03 -0400
In-Reply-To: Niall Smart <rotel@indigo.ie>   "Re: bsd securelevel patch question" (Jul  2,  6:23pm)
References: <199807021723.SAA00883@indigo.ie>
X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail)
To: rotel@indigo.ie, Poul-Henning Kamp <phk@critter.freebsd.dk>
Subject: Re: bsd securelevel patch question
Cc: dg@root.com, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net,
        abc@ralph.ml.org, tqbf@secnet.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jul 2,  6:23pm, Niall Smart (possibly) wrote:
> On Jul 2,  7:04pm, Poul-Henning Kamp wrote:
> } Subject: Re: bsd securelevel patch question
> > >
> > >Thats not true, if he hacks the user/group that the web server runs
> > >at then he only owns the web server, the only additional priviledge
> > >he gains is the ability to bind to port 80.
> > 
> > which is worse that the standard:  he cannot bind to any port < 1024.

There is also the question of whether one prefers:
	A. a server that sometimes runs as root and sometimes not,
	   which gives the possibility that someone may take root;
or	B. a server that always runs as a user with one privilege, and
	   is otherwise the same as an ordinary user.

Given the nasty possibilities inherent in a root takeover, I prefer
the latter if these are the only choices.

> Well, this depends on how the server runs, if it binds to the port
> and then setuid()'s to a lower priviledge then this is true.  There
> are clients out there that are purely setuid just so they can bind
> to a port < 1024 however, so it has valid uses.

There is also the option of having the server be run as a setuid
binary by the less-privileged user, in which case (using the
setuid/group (or a similar setuid/privilege) scheme I outlined
earlier) it will when resetting its effective uid to its real uid
remove the privileges in question. Admittedly, causing servers not
running as root to do this may require some rewriting; many assume
that they can't (or at least shouldn't) reset their euid when the euid
isn't root, and that there's no need to reset their euid back to
anything but root.

	-Allen


-- 
Allen Smith				easmith@beatrice.rutgers.edu
	

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message