[1801] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Configuration for binding to "secure" ports?

daemon@ATHENA.MIT.EDU (Malcolm Beattie)
Fri May 29 12:05:52 1998

Date: Fri, 29 May 1998 12:30:03 +0100 (BST)
From: Malcolm Beattie <mbeattie@sable.ox.ac.uk>
In-reply-to: <000f01bd8a94$f9ce9460$d2e84ace@admin.wgcr.org>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

Lamar Owen writes:
> I began to think -- what if there was a way to configure the kernel to
> allow a non-root program to listen on a particular "secure" port --
> then I wouldn't have to start various and sundry network daemons as
> root, just to have them seteuid to another user after acquiring the
> port.
[...]
> reasons prohibit me at this time.  So, I am currently stuck at 2.0.x,
> which has no such 'capabilities' (bad pun).

I've written a "socket filesystem" for 2.0 that lets you set
user/group and permissions on ports less than 1024 simply by doing
things like
    chown named /sockfs/53
    chown ldap /sockfs/389
There's a small kernel patch (which changes the "check for <1024"
socket bind test to callout to a separate function) and a sockfs.o
filesystem module. You do
    insmod sockfs.o
    mount -t sockfs sockfs /sockfs
and then the appropriate "write" persmission bit on the (fake) file
/sockfs/n determines whether owner/group/other can bind to port n.
It's available from
    ftp://ftp.ox.ac.uk/pub/linux/sockfs-a1.tar.gz
and is only 6K. It's alpha1 as its name implies and only lightly
tested but it's really very simple.

--Malcolm

-- 
Malcolm Beattie <mbeattie@sable.ox.ac.uk>
Unix Systems Programmer
Oxford University Computing Services

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post