lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <410AB903-2500-4CDF-B777-0367A7C0AEDF@atheme.org>
Date:	Fri, 22 Sep 2006 03:22:47 -0500
From:	William Pitcock <nenolod@...eme.org>
To:	YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@...ux-ipv6.org>
Cc:	linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH 2.6.18 try 2] net/ipv4: sysctl to allow non-superuser to bypass CAP_NET_BIND_SERVICE requirement

On Sep 22, 2006, at 2:41 AM, YOSHIFUJI Hideaki / 吉藤英明 wrote:

> In article <736CE60D-FB88-4246-8728-B7AC7880B28E@...eme.org> (at  
> Fri, 22 Sep 2006 02:31:59 -0500), William Pitcock  
> <nenolod@...eme.org> says:
>
>> This patch allows for a user to disable the requirement to meet the
>> CAP_NET_BIND_SERVICE capability for a non-superuser. It is toggled by
>> the net.ipv4.allow_lowport_bind_nonsuperuser sysctl value.
>
> Why?  I don't think this is a good idea.
>

There are several reasons. To summarize, in some setups, such as  
mine, it is undesirable to force applications to run as root to gain  
access to 'service' ports. A more defined listing of reasons why this  
patch is a good idea are below:

* People wanting to run restricted services such as jabber, ircd, etc  
on low ports to allow people to bypass ISP firewalls, but the  
software doesn't have mechanisms for dropping privileges (most ircds,  
for example do not have such an option)

* The software is untrusted by the end user, in the event that the  
software is not trustworthy, the amount of damage it can do running  
as a normal user is less than as a superuser. As it is, the bind()  
may have failed before the CAP_NET_BIND_SERVICE capability was  
granted to the process.

* Building on that, capabilities are still linux-specific. Other  
systems, such as FreeBSD allow you to disable this restriction via  
sysctl as well. It is very likely that daemons are not capability  
aware, and thus would require some sort of wrapper script (which is  
likely beyond the ability of most endusers). Wrapping the daemon  
would still require superuser privileges as well to make sure it  
worked properly, and even if it did work properly, it still opens a  
race condition where the bind() may have failed before the capability  
bit was granted to the process.

* Many services do not run on 'service' ports, and instead run out in  
userspace. For instance, MySQL listens on TCP/3306 by default, and  
PostgreSQL listens in userspace as well (although, I cannot recall  
the exact port number it listens on at present). In many cases, squid  
runs on port 8080, which is also userspace. For this reason, it is  
arguable that the entire CAP_NET_BIND_SERVICE restriction isn't very  
useful.

* Embedded devices (consumer routers, etc) may want to have some  
level of privilege seperation internally to reduce the amount of  
exploitation possibility in their firmware, this patch makes that  
easier to accomplish (just set the sysctl in the initialization and  
go from there)

* Other TCP stacks (Winsock2, for instance) do not impose the <= 1023  
limit.

>> diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
>> index e4b1a4d..c3f7c3c 100644
>> --- a/include/linux/sysctl.h
>> +++ b/include/linux/sysctl.h
>> @@ -411,6 +411,7 @@ enum
>> 	NET_IPV4_TCP_WORKAROUND_SIGNED_WINDOWS=115,
>> 	NET_TCP_DMA_COPYBREAK=116,
>> 	NET_TCP_SLOW_START_AFTER_IDLE=117,
>> +	NET_IPV4_ALLOW_LOWPORT_BIND_NONSUPERUSER=118,
>>    };
>>
>>    enum {
>
> This implies all IPv4 protocols including other protocols
> such as UDP, SCTP, ...

Yes, I'll change the sysctl name to better infer that it is for TCP.  
That is not an issue. If you have a suggestion for what it should be,  
I'd love to hear it.

>
>> @@ -1412,3 +1418,4 @@ EXPORT_SYMBOL(inet_stream_ops);
>>    EXPORT_SYMBOL(inet_unregister_protosw);
>>    EXPORT_SYMBOL(net_statistics);
>>    EXPORT_SYMBOL(sysctl_ip_nonlocal_bind);
>> +EXPORT_SYMBOL(sysctl_ip_allow_lowport_bind_nonsuperuser);
>
> Please be aware about indent.

I'll be sure to fix that, thank you.

(resent due to mailer glitch)

- nenolod

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ