Tomas Telensky wrote:
>But, what I should say to the network security, is that AFAIK in the most
>of linux distributions the standard daemons (httpd, sendmail) are run as
>root! Having multi-user system or not! Why? For only listening to a port
><1024? Is there any elegant solution?
Yes, most daemons have the ability to switch user ID once they have
bound tho the port. Additionally, support is starting to show up for
capabilities. I know that ProFTPD has support. Now, assuming it is
running on a newer kernel, it never needs to be root, because it has
been granted the capability to open a low port. Even if it is cracked,
it cannot do other things like . . . insert a kernel module, . . .
overwrite /etc/passwd . . . . . etc
-- Three things are certain: Death, taxes, and lost data Guess which has occurred. - - - - - - - - - - - - - - - - - - - - Patched Micro$oft servers are secure today . . . but tomorrow is another story!
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to email@example.com More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Apr 30 2001 - 21:00:13 EST