Re: Is this mail list dead?

[Coltrey Mather <securedistros@cowsgomoo.org>]

On Mon, 12 Mar 2001, Tracy R Reed wrote:

> Is there really any reason to require programs to be run as root to bind
> to ports <1024 anymore? I was just discussing this with some friends after
> the regular LUG meeting at Denny's the other day. That's where the best
> LUG conversation happens. :) There used to be a good reason for it but
> nowadays it seems like an unnecessary liability. Fixing this is probably a
> very simple little patch. 

I think it would be better if there were an option to allow non-root
access to certain ports (controlled by some file in /proc/sys/ perhaps?).

I wouldn't want a malicious shell user on my system (I only use ssh for 
logins) to run a fake telnet server on port 23 to confuse other users and
collect passwords.  The potential for a malicious user to abuse trust that
people have in standard system services is something to take into
consideration for something like this.

Perhaps in addition to just filtering by user, there should be a method to
filter by application.  e.g.: only a certain piece of software could bind
to a port...'though I'm not sure if/how that could be implemented. (maybe
have the kernel check the commandline of the process against a list of
allowed commands in /proc/ somewhere.)  One could also combine some sort
of signature verification with this so the kernel can determine if the
application has been modified.

--
Coltrey Mather
Ubergeek (use your imagination for the umlaut)

-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/