LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Is REALLY under appli using port < 1024 Root ? (https://www.linuxquestions.org/questions/linux-security-4/is-really-under-appli-using-port-1024-root-681770/)

PlatinumX 11-07-2008 08:40 AM
Is REALLY under appli using port < 1024 Root ?
 
Hey all,

I read this article http://www.linuxquestions.org/linux/...rts_below_1024.

According to the theory, any application running under port 1024 needs superuser privilege to bind the port.

In the "real life", are all applications using port < 1024 running under root account ?
Web servers, ftp servers, dns servers,....

Thanks

estabroo 11-07-2008 10:04 AM
Most services drop root privileges after opening the port. So in "real life" the answer is maybe.

PlatinumX 11-11-2008 11:09 AM
Quote:
Most services drop root privileges after opening the port.
So in my understanding, services are really vulnerable at boot time.
Then the identity of the service is like any other account.

Right ?

estabroo 11-11-2008 01:13 PM
I wouldn't say they are more vulnerable unless they are actually doing something, just opening the port doesn't make them more vulnerable, but yes once they drop privileges they are like any other account and can only directly access what that account can access.

ledow 11-11-2008 01:45 PM
Quote:
Originally Posted by PlatinumX (Post 3338437)
So in my understanding, services are really vulnerable at boot time.
Then the identity of the service is like any other account.

Right ?

Vulnerable against what? Remote exploits?

Until the process binds the port, it isn't acting on any malicious data - it isn't *receiving* anything from the network until it binds the port. Once it binds the port, and is therefore "vulnerable" to remote attacks, then it *immediately* drops the root privilege. Lots of software like Apache etc. do all their setup first and then in two consecutive lines bind the port and drop privileges. Any window of opportunity is on a nano-second scale and in that moment Apache isn't doing *anything* with *any* data that arrives from a remote location.

Additionally, because the process isn't "ready" it probably denies any and all requests from external source until it knows it is "safe" to respond (i.e. it's only running as an unprivileged user).

PlatinumX 11-12-2008 12:02 PM
Ok, very clear, thanks.

A final question: if the process binds the port < 1024 and then drop root privileges, it can maintain a "root" port open ?

ledow 11-14-2008 04:57 AM
The "privilege" that requires permission is "binding" to a port that is < 1024. Once that has occurred, the program in question is given notice whenever anything arrives on that port (including access to the data that arrived). Binding the port (asking for this notification) is the privileged operation only available to root. But once the request is in, the notifications still arrive no matter what user Apache pretends to be. Otherwise, it would be a waste of time because Apache would ever only be able to run as root.

If Apache started as root (which is what happens), bound the port it needed, dropped to "apache" (an unprivileged user) and then tried to bind that port (or anything else < 1024) again, it would fail horribly. Instead it does it once, drops all root permissions and then everything that comes into port 80 is processed as the "apache" user.

For all purposes, once it has "seteuid" (set effective user id's) to "apache", it is no different to the apache user at all and no longer has any of root's "special features" and thus it will just get "permission denied". But the only "special features" is *binding* to a port (i.e. asking for notification if data arrives there and thus being able to retrieve that data), not recieving the data itself.

PlatinumX 11-17-2008 07:33 AM
Thanks

Clear and precise.


All times are GMT -5. The time now is 01:14 AM.