From owner-freebsd-questions Wed Jan 2 16: 5: 5 2002 Delivered-To: freebsd-questions@freebsd.org Received: from c003.snv.cp.net (c003-h016.c003.snv.cp.net [209.228.32.230]) by hub.freebsd.org (Postfix) with SMTP id 4816C37B405 for ; Wed, 2 Jan 2002 16:04:59 -0800 (PST) Received: (cpmta 4415 invoked from network); 2 Jan 2002 16:04:58 -0800 Received: from 216.227.100.85 (HELO vector) by smtp.telocity.com (209.228.32.230) with SMTP; 2 Jan 2002 16:04:58 -0800 X-Sent: 3 Jan 2002 00:04:58 GMT From: "Dustin Puryear" To: Subject: RE: Getting Apache to run as user www only Date: Wed, 2 Jan 2002 18:13:52 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG What I think is happening here is that some people are confusing the idea of allowing a specified user to bind to a port with giving a program image that same privilege. At least, that's what I think is being assumed here. Certainly, if a process that is running as a user with bind-to-port-x priviledge is compromised, that port is compromised, but that is certainly better than compromising, say, the parent httpd process that is running as root. This way, even if an attacker compromises the process before it drops its privileges it will still limit the worst case scenario. Even in this case there are ways to mitigate resulting damage in many cases, often by using the current solutions where you switch the user you are running as after you have bound to the port. This way the root user is never required and only a subset of your privileged ports are fair game. Of course, I doubt this is a novel idea, even in the UNIX world where the single superuser mentality is still strong. Regards, Dustin > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Dustin Puryear > Sent: Wednesday, January 02, 2002 5:55 PM > To: Matthew Graybosch; freebsd-questions@freebsd.org > Subject: RE: Getting Apache to run as user www only > > > > > > I think that takes a small prize for being the best suggestion for > > > > introducing a security hole the size of the grand canyon > into the O/S. > > > > Just think about it, before you ask why... :) > > > > > > Thought about it. Now, why? > > > > I wonder what sort of havoc I could wreak if I were to crack an > > httpd bound > > directly to the kernel? > > What does that have to do with my suggestion which was to allow a > specified > user to bind to a given port. I am not sure where that leads to > httpd being > "bound directly to the kernel." Maybe I am missing something? Please > enlighten me. :) > > Regards, Dustin > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message