LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-30-2005, 03:31 PM   #1
The MCP
Member
 
Registered: Nov 2003
Distribution: SUSE
Posts: 31

Rep: Reputation: 15
Allowing specific programs access to needed ports


I'm trying to set up all my server's key programs (ssh, httpd, cups, etc) to run under their own restricted user. The only problem is that, for example, when (as root) I enter "sudo -u sshd /usr/sbin/sshd" to start ssh without it ever having root priveleges, it fails to initialize and auth.log says that it can't bind to port 22 - access denied. (I'm using Mandrake 10.0, set to "higher security", system is also configured to be generally paranoid).

So, how can I give certain users (httpd, sshd, proftpd) access to only the ports they need to run?
 
Old 03-31-2005, 08:38 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
AFAIK, you need to be root to bind to ports < 1024...

 
Old 03-31-2005, 09:26 AM   #3
frgtn
LQ Newbie
 
Registered: Mar 2005
Location: Kaunas, Lithuania
Distribution: Slackware 10.1
Posts: 28

Rep: Reputation: 15
Some daemons can be started as root and then, after binding to a privileged port, drop the root privileges and run as some unprivileged user, like sshd. Try reading manuals or googling. Btw, ssh has some intelligent privilege separation system, so if you're using the most recent version and if it won't offend your paranoia, you can just run it as root.
 
Old 03-31-2005, 02:47 PM   #4
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
maybe you could do some iptables magic and redirect all the traffic that comes to the well known <1024 ports to higher ports so that you programs don't need to have setuid bit. And don't forget to redirect the output of those ports to the ports the cliente program expects or you will break comunications.

iptables -A PREROUTING -p tcp -dport 80 -j REDIRECT --to-port 6666

iptables -A OUTPUT -p tcp -sport 6666 -j REDIRECT --to-port 80

didn't actually test it, it is just supposed to get you going. Theorically it should redirect incoming web traffic to your apache to your apache that is running in port 6666 without the cliente browser noticing anything.
 
Old 03-31-2005, 06:16 PM   #5
The MCP
Member
 
Registered: Nov 2003
Distribution: SUSE
Posts: 31

Original Poster
Rep: Reputation: 15
Thanks all! - Got it working

I tried using the IPtables suggestion, and then realized that on Mandrake I can just edit /etc/shorewall/rules - Added redirects for inbound/outbound port 80/6666 to 6666/80 respectively, just tested it, and it seems to work.. The main problem was that user apache lacked write access to the logfiles and /var/run/httpd - solved those. Now I just need to make sure that it works elsewhere and I can start changing ssh and cups over.

And yes, it's true that when I start httpd as root it creates one root process and then spawns other processes under user 'apache', and that I've enabled privelege separation for sshd, but I'm still uncomfortable with having any more root processes than absolutely necessary. (Presumably that'd be bad if the process table were corrupted by a cracker).

Anyway, thanks again for the inspiration! btw, the server is ejksdesktop.homelinux.com - can someone confirm that it works (ie loads)?
 
Old 03-31-2005, 06:21 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
it works. it works well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
blocking specific websites, but allowing internet access poiuytrewq Linux - General 6 09-01-2006 12:45 AM
Blocking Specific Programs from Network Access? Trip in VA Linux - Newbie 23 08-06-2006 03:47 PM
Blocking access to specific Websites and IP Ports fieldyweb Linux - Newbie 3 12-02-2005 06:32 AM
Allowing access only to specific websites? matux Linux - Security 2 11-28-2005 10:18 PM
Allowing a specific host to connect using ipchains Gameon Linux - Security 7 01-17-2002 05:15 AM


All times are GMT -5. The time now is 12:46 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration