| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Sep 2006 08:59:12 +0000 (UTC) From: daw@...berkeley.edu (David Wagner) To: linux-kernel@...r.kernel.org Subject: Re: [PATCH 2.6.18 try 2] net/ipv4: sysctl to allow non-superuser to bypass CAP_NET_BIND_SERVICE requirement William Pitcock wrote: >This patch allows for a user to disable the requirement to meet the >CAP_NET_BIND_SERVICE capability for a non-superuser. It is toggled by >the net.ipv4.allow_lowport_bind_nonsuperuser sysctl value. Can't you provide this functionality (in a non-transparent way) through user-space code alone? I'm thinking of a setuid-root program that takes a port number as argv[1], binds to that port, dup()s the new file descriptor onto fd 0 (say), drops root, and then forks and execs a program specified on argv[2]. If you want to get fancy, instead of exec-ing, you could use the standard trick to pass the file descriptor over a Unix domain socket to some other process. Seems like you should be able to make something like this work, as long as you're willing to make small modifications to the program that uses the low port. Does that work? - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists