Re: Capabilities

From: Peter Benie (pjb1008@cam.ac.uk)
Date: Thu Feb 10 2000 - 11:48:39 EST

Next message: Jeff V. Merkey: "Re: NetWare Volume IMAGER 1.0 Released/NWFS 2.0.1 Released"
Previous message: Jeff Garzik: "Re: Make clean impossible in 2.3.42"
In reply to: Matthew Kirkwood: "Re: Capabilities"
Next in thread: Brandon S. Allbery KF8NH: "Re: Capabilities"
Reply: Brandon S. Allbery KF8NH: "Re: Capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matthew Kirkwood writes ("Re: Capabilities"):
> > Capabilities don't solve the inability to change which port is bound
> > since cap_net_bind_service is equivalent to root on most machines.
>
> Please explain? If bind has only CNBS and runs as user "named",
> then there is no root equivalence that I can see.

If you can bind to low numbered ports, you can fake credentials for
rsh or rlogin. From there, you can get to root on many machines
without much difficulty. Even if you can't get root, CNBS is still
sufficiently powerful that I wouldn't want bind to keep running with
that capability.

Peter

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff V. Merkey: "Re: NetWare Volume IMAGER 1.0 Released/NWFS 2.0.1 Released"
Previous message: Jeff Garzik: "Re: Make clean impossible in 2.3.42"
In reply to: Matthew Kirkwood: "Re: Capabilities"
Next in thread: Brandon S. Allbery KF8NH: "Re: Capabilities"
Reply: Brandon S. Allbery KF8NH: "Re: Capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Tue Feb 15 2000 - 21:00:18 EST