Date: Tue, 21 Aug 2001 14:39:57 +0300 From: Peter Pentchev <roam@ringlet.net> To: "James E. Housley" <jeh@FreeBSD.org> Cc: Maxim Sobolev <sobomax@FreeBSD.org>, cjclark@alum.mit.edu, Robert Watson <rwatson@FreeBSD.org>, David Malone <dwmalone@maths.tcd.ie>, Mikhail Teterin <mi@aldan.algebra.com>, alex@big.endian.de, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010821143957.G7824@ringworld.oblivion.bg> In-Reply-To: <3B7BBA1B.26E728EE@FreeBSD.org>; from jeh@FreeBSD.org on Thu, Aug 16, 2001 at 08:18:35AM -0400 References: <20010815123315.A35365@walton.maths.tcd.ie> <Pine.NEB.3.96L.1010815125441.81642C-100000@fledge.watson.org> <20010816000823.H330@blossom.cjclark.org> <3B7B896F.F0F8F244@FreeBSD.org> <3B7BBA1B.26E728EE@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 16, 2001 at 08:18:35AM -0400, James E. Housley wrote: > Maxim Sobolev wrote: > > > > "Crist J. Clark" wrote: > > > > > When are we just going to give up the now rather silly concept of > > > "privileged ports?" Security on a UNIX platform gets _better_ when > > > non-root processes can open ports <1024. Since no one (except for a > > > limited few people on highly controlled, isolated networks) should > > > ever trust remote machine, using a port <1024 is meaningless to the > > > remote machine. It's also only an UNIX anachronism, and therefore > > > meaningless in a heterogeneous environment. > > > > > > It would be so-o nice to have a sysctl(8) to turn off privileged > > > ports and not have to worry about all of these problems with named(8), > > > syslogd(8), ftpd(8), etc. If I do the work, is anyone going to fight > > > committing it? > > > > There is another problem with unprivileging ports below < 1024 - the local user > > potentialy may DOS service by binding to the same port when the service restarts > > (for example sysadmin restarts it by -HUP signal). I guess it should be relatively > > easy to write an exploit that constantly monitors whether specified port is binded > > or not and immediately binds to it once the port for some reason is free. > > > > One option that might make every one happy is three values for this new > sysctl. > > 0 = default > 1 = protected > 2 = open > > Where: > > "default" is the current mode, have to be uid=0 to bind to a port < 1024 > > "protected" is where you have to have a uid<1000, or some set number, to > bind to a port<1024. In standard installs users uid seem to start at > either 1000 or 1001, this would let the created uid, ie 53 for bind, 88 > for mysql, 80 for www, etc to bind to these ports but still offer some > protection from a DOS like Maxim mentions. > > "open" any uid could bind to a port<1024 While this idea does have some merit (actually, it has quite a lot of merit), there still are a couple of drawbacks. For example, a malicious CGI script, ran as the 'www' user, would be able to execute a program that would bind, say, port 22 - or a program that would wait until port 22 became available for binding. Still, this would be a good temporary workaround until a more elaborate scheme, like the one described by Robert Watson in another message in this thread, is deployed; but, as Robert says, a more elaborate scheme might lower performance.. G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010821143957.G7824>