Re: [OFFTOPIC] Re: [PATCH] Single user linux

Ben Ford (ben@kalifornia.com)
Tue, 24 Apr 2001 22:26:05 -0700


Tomas Telensky wrote:

<snip>

>But, what I should say to the network security, is that AFAIK in the most
>of linux distributions the standard daemons (httpd, sendmail) are run as
>root! Having multi-user system or not! Why? For only listening to a port
><1024? Is there any elegant solution?
>

Yes, most daemons have the ability to switch user ID once they have
bound tho the port. Additionally, support is starting to show up for
capabilities. I know that ProFTPD has support. Now, assuming it is
running on a newer kernel, it never needs to be root, because it has
been granted the capability to open a low port. Even if it is cracked,
it cannot do other things like . . . insert a kernel module, . . .
overwrite /etc/passwd . . . . . etc

-b

-- 
Three things are certain:
Death, taxes, and lost data
Guess which has occurred.
- - - - - - - - - - - - - - - - - - - -
Patched Micro$oft servers are secure today . . . but tomorrow is another story!

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/