LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-07-2008, 08:40 AM   #1
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Rep: Reputation: 15
Is REALLY under appli using port < 1024 Root ?


Hey all,

I read this article http://www.linuxquestions.org/linux/...rts_below_1024.

According to the theory, any application running under port 1024 needs superuser privilege to bind the port.

In the "real life", are all applications using port < 1024 running under root account ?
Web servers, ftp servers, dns servers,....

Thanks
 
Old 11-07-2008, 10:04 AM   #2
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,092
Blog Entries: 2

Rep: Reputation: 109Reputation: 109
Most services drop root privileges after opening the port. So in "real life" the answer is maybe.
 
Old 11-11-2008, 11:09 AM   #3
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Quote:
Most services drop root privileges after opening the port.
So in my understanding, services are really vulnerable at boot time.
Then the identity of the service is like any other account.

Right ?
 
Old 11-11-2008, 01:13 PM   #4
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,092
Blog Entries: 2

Rep: Reputation: 109Reputation: 109
I wouldn't say they are more vulnerable unless they are actually doing something, just opening the port doesn't make them more vulnerable, but yes once they drop privileges they are like any other account and can only directly access what that account can access.
 
Old 11-11-2008, 01:45 PM   #5
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
Quote:
Originally Posted by PlatinumX View Post
So in my understanding, services are really vulnerable at boot time.
Then the identity of the service is like any other account.

Right ?

Vulnerable against what? Remote exploits?

Until the process binds the port, it isn't acting on any malicious data - it isn't *receiving* anything from the network until it binds the port. Once it binds the port, and is therefore "vulnerable" to remote attacks, then it *immediately* drops the root privilege. Lots of software like Apache etc. do all their setup first and then in two consecutive lines bind the port and drop privileges. Any window of opportunity is on a nano-second scale and in that moment Apache isn't doing *anything* with *any* data that arrives from a remote location.

Additionally, because the process isn't "ready" it probably denies any and all requests from external source until it knows it is "safe" to respond (i.e. it's only running as an unprivileged user).
 
Old 11-12-2008, 12:02 PM   #6
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Ok, very clear, thanks.

A final question: if the process binds the port < 1024 and then drop root privileges, it can maintain a "root" port open ?
 
Old 11-14-2008, 04:57 AM   #7
ledow
Member
 
Registered: Apr 2005
Location: UK
Distribution: Slackware 13.0
Posts: 241

Rep: Reputation: 34
The "privilege" that requires permission is "binding" to a port that is < 1024. Once that has occurred, the program in question is given notice whenever anything arrives on that port (including access to the data that arrived). Binding the port (asking for this notification) is the privileged operation only available to root. But once the request is in, the notifications still arrive no matter what user Apache pretends to be. Otherwise, it would be a waste of time because Apache would ever only be able to run as root.

If Apache started as root (which is what happens), bound the port it needed, dropped to "apache" (an unprivileged user) and then tried to bind that port (or anything else < 1024) again, it would fail horribly. Instead it does it once, drops all root permissions and then everything that comes into port 80 is processed as the "apache" user.

For all purposes, once it has "seteuid" (set effective user id's) to "apache", it is no different to the apache user at all and no longer has any of root's "special features" and thus it will just get "permission denied". But the only "special features" is *binding* to a port (i.e. asking for notification if data arrives there and thus being able to retrieve that data), not recieving the data itself.
 
Old 11-17-2008, 07:33 AM   #8
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Thanks

Clear and precise.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd port higher than 1024 henkoegema Linux - Networking 3 07-16-2006 07:43 AM
using port number below 1024 eshwar_ind Linux - Networking 2 07-01-2005 04:58 AM
udp port 1024 frgtn Linux - Security 2 03-27-2005 07:10 AM
how to bind a <1024 port number with a non root users linuxlouis Linux - Networking 0 08-11-2003 11:10 AM
services with port < 1024 markus1982 Linux - Security 11 01-27-2003 01:25 AM


All times are GMT -5. The time now is 09:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration