[ On Saturday, July 14, 2001 at 21:19:49 (-0400), Michael Richardson wrote: ]
> Subject: Re: i386 IO access and chroot() 
>
>      4. bind < 1024
>      5. network operations, period

I don't yet fully understand the implications, but I'm very leary about
allowing non-root users to do anything like this under any
circumstances.

Take for example SSH.  If you get right down to the brass tacks, SSH
requires you to trust the OS and hardware at each end of the connection
(which of course implies that you can trust them to have done the
authentication, but that's a separate issue).  As I understand the Unix
security model in combination with the SSH protocol this means that SSH
must run as root on both ends and the initial use of a TCP port less
than 1024 is key to the web of trust built up as SSH establishes the
authenticity of the hosts and users at each end.  I.e. part of the
protocol assumes that only _the_ trusted superuser on the remote system
could have bound the socket to the port it did.

By adding some kind of access control mechanism that allows non-root
users to do "trusted" network operations you are shouldering
responsibilities onto non-root users and I'm not so sure you should be.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>