Re: [PATCH 2.6.18 try 2] net/ipv4: sysctl to allow non-superuser to bypass CAP_NET_BIND_SERVICE requirement
From: William Pitcock
Date: Fri Sep 22 2006 - 04:31:51 EST
On Sep 22, 2006, at 2:41 AM, YOSHIFUJI Hideaki wrote:
In article <736CE60D-FB88-4246-8728-B7AC7880B28E@xxxxxxxxxx> (at
Fri, 22 Sep 2006 02:31:59 -0500), William Pitcock
<nenolod@xxxxxxxxxx> says:
This patch allows for a user to disable the requirement to meet the
CAP_NET_BIND_SERVICE capability for a non-superuser. It is toggled by
the net.ipv4.allow_lowport_bind_nonsuperuser sysctl value.
Why? I don't think this is a good idea.
There are several reasons. To summarize, in some setups, such as
mine, it is undesirable to force applications to run as root to gain
access to 'service' ports. A more defined listing of reasons why this
patch is a good idea are below:
* People wanting to run restricted services such as jabber, ircd, etc
on low ports to allow people to bypass ISP firewalls, but the
software doesn't have mechanisms for dropping privileges (most ircds,
for example do not have such an option)
* The software is untrusted by the end user, in the event that the
software is not trustworthy, the amount of damage it can do running
as a normal user is less than as a superuser. As it is, the bind()
may have failed before the CAP_NET_BIND_SERVICE capability was
granted to the process.
* Building on that, capabilities are still linux-specific. Other
systems, such as FreeBSD allow you to disable this restriction via
sysctl as well. It is very likely that daemons are not capability
aware, and thus would require some sort of wrapper script (which is
likely beyond the ability of most endusers). Wrapping the daemon
would still require superuser privileges as well to make sure it
worked properly, and even if it did work properly, it still opens a
race condition where the bind() may have failed before the capability
bit was granted to the process.
* Many services do not run on 'service' ports, and instead run out in
userspace. For instance, MySQL listens on TCP/3306 by default, and
PostgreSQL listens in userspace as well (although, I cannot recall
the exact port number it listens on at present). In many cases, squid
runs on port 8080, which is also userspace. For this reason, it is
arguable that the entire CAP_NET_BIND_SERVICE restriction isn't very
useful.
* Embedded devices (consumer routers, etc) may want to have some
level of privilege seperation internally to reduce the amount of
exploitation possibility in their firmware, this patch makes that
easier to accomplish (just set the sysctl in the initialization and
go from there)
* Other TCP stacks (Winsock2, for instance) do not impose the <= 1023
limit.
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index e4b1a4d..c3f7c3c 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -411,6 +411,7 @@ enum
NET_IPV4_TCP_WORKAROUND_SIGNED_WINDOWS=115,
NET_TCP_DMA_COPYBREAK=116,
NET_TCP_SLOW_START_AFTER_IDLE=117,
+ NET_IPV4_ALLOW_LOWPORT_BIND_NONSUPERUSER=118,
};
enum {
This implies all IPv4 protocols including other protocols
such as UDP, SCTP, ...
Yes, I'll change the sysctl name to better infer that it is for TCP.
That is not an issue. If you have a suggestion for what it should be,
I'd love to hear it.
@@ -1412,3 +1418,4 @@ EXPORT_SYMBOL(inet_stream_ops);
EXPORT_SYMBOL(inet_unregister_protosw);
EXPORT_SYMBOL(net_statistics);
EXPORT_SYMBOL(sysctl_ip_nonlocal_bind);
+EXPORT_SYMBOL(sysctl_ip_allow_lowport_bind_nonsuperuser);
Please be aware about indent.
I'll be sure to fix that, thank you.
(resent due to mailer glitch)
- nenolod
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/