Is REALLY under appli using port < 1024 Root ?
Hey all,
I read this article http://www.linuxquestions.org/linux/...rts_below_1024. According to the theory, any application running under port 1024 needs superuser privilege to bind the port. In the "real life", are all applications using port < 1024 running under root account ? Web servers, ftp servers, dns servers,.... Thanks |
Most services drop root privileges after opening the port. So in "real life" the answer is maybe.
|
Quote:
Then the identity of the service is like any other account. Right ? |
I wouldn't say they are more vulnerable unless they are actually doing something, just opening the port doesn't make them more vulnerable, but yes once they drop privileges they are like any other account and can only directly access what that account can access.
|
Quote:
Vulnerable against what? Remote exploits? Until the process binds the port, it isn't acting on any malicious data - it isn't *receiving* anything from the network until it binds the port. Once it binds the port, and is therefore "vulnerable" to remote attacks, then it *immediately* drops the root privilege. Lots of software like Apache etc. do all their setup first and then in two consecutive lines bind the port and drop privileges. Any window of opportunity is on a nano-second scale and in that moment Apache isn't doing *anything* with *any* data that arrives from a remote location. Additionally, because the process isn't "ready" it probably denies any and all requests from external source until it knows it is "safe" to respond (i.e. it's only running as an unprivileged user). |
Ok, very clear, thanks.
A final question: if the process binds the port < 1024 and then drop root privileges, it can maintain a "root" port open ? |
The "privilege" that requires permission is "binding" to a port that is < 1024. Once that has occurred, the program in question is given notice whenever anything arrives on that port (including access to the data that arrived). Binding the port (asking for this notification) is the privileged operation only available to root. But once the request is in, the notifications still arrive no matter what user Apache pretends to be. Otherwise, it would be a waste of time because Apache would ever only be able to run as root.
If Apache started as root (which is what happens), bound the port it needed, dropped to "apache" (an unprivileged user) and then tried to bind that port (or anything else < 1024) again, it would fail horribly. Instead it does it once, drops all root permissions and then everything that comes into port 80 is processed as the "apache" user. For all purposes, once it has "seteuid" (set effective user id's) to "apache", it is no different to the apache user at all and no longer has any of root's "special features" and thus it will just get "permission denied". But the only "special features" is *binding* to a port (i.e. asking for notification if data arrives there and thus being able to retrieve that data), not recieving the data itself. |
Thanks
Clear and precise. |
All times are GMT -5. The time now is 02:19 PM. |