Re: [linux-security] Re: Configuration for binding to "secure" ports?

[Lamar Owen <lamar owen wgcr org>]

>You can modify the application auto-magically by LD_PRELOAD'ing a library
>that overrides libc bind() with something dup2()'ing the pre-bound socket.
:)
>
>Well, you could also modify bind() to pass the socket (using BSD-like
>unix-domain socket magic) to a privileged "binder daemon" and let it
>decide whether you are allowed to bind it to the given port--and do it
>itself if you are.


Hmmm... This addresses my primary concern, of which I wasn't really clear --
the less programs running as root, the less chance a misconfiguration has of
overwriting root-run executables with Trojan code.

I realize that setting file modes, et al can help alleviate much of the
issue (stuff like, the webserver run user should not own the webserver
executable, etc), but, to me, that's the long way around.  Why not simply
not have the executable run as root in the first place, greatly simplifying
the task of securing it?

The more I learn about 'capabilities' the more I like them....

>> After sending a draft of this message to the linux-security list, I
>> received a highly informative "message rejected" e-mail from Rogier
>> Wolff pointing out that the newest kernels in the 2.1 series have
>> 'capabilities' -- one of which allows binding to secure ports by

[snip]
>A patch for 2.0.x has been published in one of the recent issues
>of Phrack that allows processes running under special gids to perform
>privileged socket operations.


http://www.phrack.com/52/P52-06 is where this info is.  Careful with some of
the patches.....

Lamar Owen
WGCR Internet Radio