Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to set up all my server's key programs (ssh, httpd, cups, etc) to run under their own restricted user. The only problem is that, for example, when (as root) I enter "sudo -u sshd /usr/sbin/sshd" to start ssh without it ever having root priveleges, it fails to initialize and auth.log says that it can't bind to port 22 - access denied. (I'm using Mandrake 10.0, set to "higher security", system is also configured to be generally paranoid).
So, how can I give certain users (httpd, sshd, proftpd) access to only the ports they need to run?
Some daemons can be started as root and then, after binding to a privileged port, drop the root privileges and run as some unprivileged user, like sshd. Try reading manuals or googling. Btw, ssh has some intelligent privilege separation system, so if you're using the most recent version and if it won't offend your paranoia, you can just run it as root.
maybe you could do some iptables magic and redirect all the traffic that comes to the well known <1024 ports to higher ports so that you programs don't need to have setuid bit. And don't forget to redirect the output of those ports to the ports the cliente program expects or you will break comunications.
didn't actually test it, it is just supposed to get you going. Theorically it should redirect incoming web traffic to your apache to your apache that is running in port 6666 without the cliente browser noticing anything.
I tried using the IPtables suggestion, and then realized that on Mandrake I can just edit /etc/shorewall/rules - Added redirects for inbound/outbound port 80/6666 to 6666/80 respectively, just tested it, and it seems to work.. The main problem was that user apache lacked write access to the logfiles and /var/run/httpd - solved those. Now I just need to make sure that it works elsewhere and I can start changing ssh and cups over.
And yes, it's true that when I start httpd as root it creates one root process and then spawns other processes under user 'apache', and that I've enabled privelege separation for sshd, but I'm still uncomfortable with having any more root processes than absolutely necessary. (Presumably that'd be bad if the process table were corrupted by a cracker).
Anyway, thanks again for the inspiration! btw, the server is ejksdesktop.homelinux.com - can someone confirm that it works (ie loads)?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.