From owner-cvs-all Tue Aug 21 4:41:41 2001 Delivered-To: cvs-all@freebsd.org Received: from ringworld.nanolink.com (dialmess.nanolink.com [217.75.135.246]) by hub.freebsd.org (Postfix) with SMTP id 79CFC37B410 for ; Tue, 21 Aug 2001 04:41:21 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 10859 invoked by uid 1000); 21 Aug 2001 11:39:57 -0000 Date: Tue, 21 Aug 2001 14:39:57 +0300 From: Peter Pentchev To: "James E. Housley" Cc: Maxim Sobolev , cjclark@alum.mit.edu, Robert Watson , David Malone , Mikhail Teterin , alex@big.endian.de, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010821143957.G7824@ringworld.oblivion.bg> Mail-Followup-To: "James E. Housley" , Maxim Sobolev , cjclark@alum.mit.edu, Robert Watson , David Malone , Mikhail Teterin , alex@big.endian.de, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org References: <20010815123315.A35365@walton.maths.tcd.ie> <20010816000823.H330@blossom.cjclark.org> <3B7B896F.F0F8F244@FreeBSD.org> <3B7BBA1B.26E728EE@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B7BBA1B.26E728EE@FreeBSD.org>; from jeh@FreeBSD.org on Thu, Aug 16, 2001 at 08:18:35AM -0400 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Aug 16, 2001 at 08:18:35AM -0400, James E. Housley wrote: > Maxim Sobolev wrote: > > > > "Crist J. Clark" wrote: > > > > > When are we just going to give up the now rather silly concept of > > > "privileged ports?" Security on a UNIX platform gets _better_ when > > > non-root processes can open ports <1024. Since no one (except for a > > > limited few people on highly controlled, isolated networks) should > > > ever trust remote machine, using a port <1024 is meaningless to the > > > remote machine. It's also only an UNIX anachronism, and therefore > > > meaningless in a heterogeneous environment. > > > > > > It would be so-o nice to have a sysctl(8) to turn off privileged > > > ports and not have to worry about all of these problems with named(8), > > > syslogd(8), ftpd(8), etc. If I do the work, is anyone going to fight > > > committing it? > > > > There is another problem with unprivileging ports below < 1024 - the local user > > potentialy may DOS service by binding to the same port when the service restarts > > (for example sysadmin restarts it by -HUP signal). I guess it should be relatively > > easy to write an exploit that constantly monitors whether specified port is binded > > or not and immediately binds to it once the port for some reason is free. > > > > One option that might make every one happy is three values for this new > sysctl. > > 0 = default > 1 = protected > 2 = open > > Where: > > "default" is the current mode, have to be uid=0 to bind to a port < 1024 > > "protected" is where you have to have a uid<1000, or some set number, to > bind to a port<1024. In standard installs users uid seem to start at > either 1000 or 1001, this would let the created uid, ie 53 for bind, 88 > for mysql, 80 for www, etc to bind to these ports but still offer some > protection from a DOS like Maxim mentions. > > "open" any uid could bind to a port<1024 While this idea does have some merit (actually, it has quite a lot of merit), there still are a couple of drawbacks. For example, a malicious CGI script, ran as the 'www' user, would be able to execute a program that would bind, say, port 22 - or a program that would wait until port 22 became available for binding. Still, this would be a good temporary workaround until a more elaborate scheme, like the one described by Robert Watson in another message in this thread, is deployed; but, as Robert says, a more elaborate scheme might lower performance.. G'luck, Peter -- .siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message