[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is this mail list dead?

To: securedistros@nl.linux.org
Subject: Re: Is this mail list dead?
From: Neale Banks <neale@lowendale.com.au>
Date: Tue, 13 Mar 2001 16:18:42 +1100 (EST)
In-Reply-To: <Pine.GSO.4.21.0103122126290.23825-100000@zifnab.scheol.hm>
Reply-To: securedistros@nl.linux.org
Sender: owner-securedistros@nl.linux.org

On Mon, 12 Mar 2001, Coltrey Mather wrote:

> On Mon, 12 Mar 2001, Tracy R Reed wrote:
> 
> > Is there really any reason to require programs to be run as root to bind
> > to ports <1024 anymore? I was just discussing this with some friends after
> > the regular LUG meeting at Denny's the other day. That's where the best
> > LUG conversation happens. :) There used to be a good reason for it but
> > nowadays it seems like an unnecessary liability. Fixing this is probably a
> > very simple little patch. 
> 
> I think it would be better if there were an option to allow non-root
> access to certain ports (controlled by some file in /proc/sys/ perhaps?).

So long as:

1) existing behavious remains default

2) only root can make this adjustment ;-)

> I wouldn't want a malicious shell user on my system (I only use ssh for 
> logins) to run a fake telnet server on port 23 to confuse other users and
> collect passwords.  The potential for a malicious user to abuse trust that
> people have in standard system services is something to take into
> consideration for something like this.

Good point.  But it doesn't necessarily follow that root-user privs are
required to enforce this.

> Perhaps in addition to just filtering by user, there should be a method to
> filter by application.  e.g.: only a certain piece of software could bind
> to a port...'though I'm not sure if/how that could be implemented. (maybe
> have the kernel check the commandline of the process against a list of
> allowed commands in /proc/ somewhere.)  One could also combine some sort
> of signature verification with this so the kernel can determine if the
> application has been modified.

"filter by application" could inded be a bit tricky - and security is
often (always?) easier to maintain in "simple" systems.

How about starting with "group" permissions?  There's a few ways this
could be implemented, starting with something really simple like
membership of group 0 (or 1?) being sufficient for binding to a port.

More elaborate schemes might do something like representing the TCP and
UDP port-space in a virtual file system and allowing the nodes therein to
have their permissions changed.

On a more down-to-earth level, how many distro's can run out-of-the box
without inetd?  Or at least without portmapper?

Regards,
Neale.

-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

Follow-Ups:
- Re: Is this mail list dead?
  - From: Raju Mathur <raju@linux-delhi.org>
- Re: Is this mail list dead?
  - From: Tracy R Reed <treed@ultraviolet.org>

References:
- Re: Is this mail list dead?
  - From: Coltrey Mather <securedistros@cowsgomoo.org>

Prev by Date: Re: Is this mail list dead?
Next by Date: Re: Is this mail list dead?
Prev by thread: Re: Is this mail list dead?
Next by thread: Re: Is this mail list dead?
Index(es):
- Date
- Thread