Subject: Re: building a userland interface to a kernel structure
To: NetBSD-current Discussion List <current-users@netbsd.org>
From: Dustin Sallings <dustin@spy.net>
List: current-users
Date: 01/13/1999 10:36:11
On Wed, 13 Jan 1999, Greg A. Woods wrote:

# Well, I wouldn't be running a mailer or a web server or any other kind
# of server on a machine that's got random users running amok on it.  If
# they manage to shut down sshd, well then they'll have to crack root too
# before they can trojan it with a valid private host key.... 

	No they wouldn't, root only matters when the keys are in /etc and
only readable by root.

# However on a fully configured Unix system which runs all kinds of
# services *and* has random shell users, etc., you probably do not want to
# ever give non-root users the ability to bind to ports < 1024 since this
# opens up far too many covert channels and opportunities for trojan
# services, etc. 

	You're not seeing the big picture.  You almost stated my point in
the above...  Currently, the only discussion I've seen has involved
either, ``get rid of the limitation'' or ``keep the limitation.''  There's
a nice grey middle where you can keep the limitation but assign control of
a specific port to a specific user.  This is what my code does.  Instead
of running the web server as root, then having it do all the work as user
nobody (or whatever), I'm suggesting running the web server as nobody and
allowing the user nobody to bind to port 80.  This has the effect of
having *far* fewer different things running as root on the machine.  Think
about all the root exploits this would have magically cured over the past
few years.  I knew someone who recently had a breakin due to a bug in
BIND (well, not that recently), a root exploit done remotely on a daemon
that was running as root simply for the sake of binding to a listening
port.  With my model, all of these daemons can magically be run as userx.
I'm just getting sick of the ``Oh, just do it as root,'' model, it's
unnecessary and dangerous.  IMO, it's also bad to say, ``just keep people
away from it,'' as if security should end there.  In a perfect world, I
could keep all of my users and all of my vital data on the same machine.

# In any case how you control these kinds of things is very specific to
# the requirements and design of each unique environment. 

	It sounds like you're trying to imply that because different
people might want to do it different ways, it shouldn't be done at all.

--
SA, beyond.com           My girlfriend asked me which one I like better.
pub  1024/3CAE01D5 1994/11/03 Dustin Sallings <dustin@spy.net>
|    Key fingerprint =  87 02 57 08 02 D0 DA D6  C8 0F 3E 65 51 98 D8 BE 
L_______________________ I hope the answer won't upset her. ____________