Re: Bind to privileged (<1024) ports

David Ford (david@kalifornia.com)
Mon, 8 Jun 1998 14:21:14 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Leonard N. Zubkoff: "Re: piss poor change in ncr53c8xx/linux-2.1.104"
Previous message: Erik Corry: "Re: Bind to privileged (<1024) ports"
Next in thread: Jason Lango: "Re: Solaris Doors API for Linux"
Reply: Jason Lango: "Re: Solaris Doors API for Linux"

On Mon, 8 Jun 1998, Winfried Truemper wrote:
[snipped]
> This would require only be a few extra bytes added to kernel code and
> data, but would limit the impact of security holes in daemons running
> (traditionally) as root. Think of the recent bind vulnerability.

i'm sure this would be a nice feature but it would make programmers even
more security lax. bind has the capacity to run as a non-privileged user
as do most daemons.

if it doesn't need to run as root, put it >1023. otherwise, either bind
and drop permissions or maintain a vigilant security stance.

allowing non-priveleged uids to bind in this region opens a plethura of
potential problems. an admin who is lax in this and sets up his machine
this way likely hasn't determined that all programs that are suid to this
uid are secured.

we could go on and on about this, but this is really a copout for bad
programming in the first place and really should be dealt with in
userland.

-d

-- Please read the linux/Documentation/ files and review the last week of mail on linux-kernel before posting your problem. PLEASE don't quote _many_ lines and type _few_ lines -thx

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu

Next message: Leonard N. Zubkoff: "Re: piss poor change in ncr53c8xx/linux-2.1.104"
Previous message: Erik Corry: "Re: Bind to privileged (<1024) ports"
Next in thread: Jason Lango: "Re: Solaris Doors API for Linux"
Reply: Jason Lango: "Re: Solaris Doors API for Linux"