Re: Ports 0-1023?

From: Thomas Cannon (tcannon@noops.org)
Date: 07/05/02 

Date: Thu, 4 Jul 2002 18:35:56 -0700 (PDT)
From: Thomas Cannon <tcannon@noops.org>
To: Charles 'core' Stevenson <core@bokeoa.com>

Hi Charles, folks.

> privilege seperation using the Linux capabilities. And why not hack
> something up so we can give an attribute to a suid that allows it to
> just change the system time or this sort of thing.

That's actually a work in progress. Systrace, from Neils Provos, is a
kernel-level modification that's already part of OpenBSD that monitors
running programs and allows an administrator to define what (and what not)
the program is allowed to do, at the syscall level. So, as in your
example, you could set a policy for 'date' that allows access to read and
set the system time, and that only. So, even if someone had found a way to
subvert 'date' into reading the password file, the exploit would fail as
that wouldn't be something specifically allowed by systrace. The real
benefit is in 3rd party applications. For instance, if there was a hole
found in apache that allowed an attacker to execute code on your server,
the exploit would fail, as the only thing apache would be allowed to do is
bund to port 80, fork children, and serve files from $webroot. If it tried
to execute /bin/sh, it would be denied. Same as if you ran a backdoored
program, like a trojaned './configure' script -- it'd alert you that
something fishy was going on and you could stop it before it did any
damage.

http://www.citi.umich.edu/u/provos/systrace/

-tcannon

>
> peace,
> core
>
> Kurt Seifried wrote:
> >>Is there any point in needing to be root in order to allocate the low
> >
> > ports
> >
> >>on unix-like systems, anymore? Could we get away from having to have some
> >>daemons even have a root stub in order to listen on a low port? What
> >
> > would
> >
> >>break, and what new holes would be created? Could some sort of port ACL
> >>simply be used that says a particular UID can allocate a particular range
> >>of ports?
> >
> >
> > Well. Let's say you don't need to be root anymore.
> >
> > Hey look at me, I'm the webserver! Or the email server, or the ftp server.
> > or the NFS server.......
> >
> > If I can down a service (remote/local DoS), or wait for it to be restarted
> > (like to reload configuration or some other automated interuption) I can be
> > that service. Kind of scary IMHO.
> >
> > Now if you're talking about assigning a UID or GID to "own" the port that's
> > a different story, however I fear people doing well intentioned, but stupid
> > things like assigning it to "nobody". This capability already exists in many
> > systems, Argus Pitbull (for Solaris) and Pitbull LX (for Linux), NSA
> > SELinux, and so on.
> >
> > Personally I like Solaris' ability to assign high ports to require root,
> > this is nice for NFS (2049) and other related systems (has to run as root
> > anyways, well unless you got some really crazy user-daemon nfs =).
> >
> > Plus with privilege seperation (OpenSSH, Postfix, Apache, etc.) there is
> > very little to worry about in most cases, done properly these things are not
> > terribly dangerous (ok, ignoring last week ....=).
> >
> > I wrote an article about this ages ago, but cannot find it, and of course
> > securityportal.com is no more, ohwell.
> >
> >
> >>Discuss.
> >>
> >>BB
> >
> >
> > Kurt Seifried, kurt@seifried.org
> > A15B BEE5 B391 B9AD B0EF
> > AEB0 AD63 0B4E AD56 E574
> > http://seifried.org/security/
> > http://www.iDefense.com/
> >
> >
> >
> >
>
>

Relevant Pages

  • How do I run a web server behind a modem/router on port 80.
    ... I set up Apache Tomcat to run on port 80 and port 8080. ... However, the weird thing is that even when I run my web server as root, ... going to port 80 on my IP address from a remote unix shell does not ... Running Tomcat as root. ...
    (comp.os.linux.networking)
  • [FEDORA-LIST] Installing software from source?
    ... I was just handed the root password to my server running Linux whitebox 4. ... The way port works is that I search for things I want to install ... zmac11:/Users/oracle root# port search perl ...
    (Fedora)
  • Re: www root directory for Apache
    ... I am bringing a new server online and until I have it completely setup ... Apache is set to port 8080. ... and I want to move the "www root" files to the new one and then test it ...
    (comp.os.linux.setup)
  • RE: Some technical errors
    ... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ...
    (Security-Basics)
  • Re: SRV RRs support in Internet Explorer?
    ... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ...
    (microsoft.public.win2000.dns)