iptables question, ports over 1024
Robert Brockway
rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
Thu Jun 23 18:49:20 UTC 2005
On Thu, 23 Jun 2005, Lennart Sorensen wrote:
> Don't you mean a non-root user is only allowed to bind above port 1023?
Actually no, but neither did I mean what I said (oops :)
The correct rendition of the traditionl *nix security model (as it
applies to port binding) is:
1. Only root may bind ports in the range 0-1023
2. Anyone may bind ports >1023 [1]
The idea here is that if you are connecting to a low port (0-1023) on a
remote box you can have some confidence that the box's admin was running
the service. Modern *nix OSes are doing away with this for a variety of
reasons:
1. It doesn't help much from a security point of view.
I've seen cases where people have run a service as root to get around
this problem, where they otherwise did not have to. In these cases it
was actually reducing the security of the box.
2. It makes admins jump through hoops for no good reason. Eg, Like having
to allow root privs just to bind the web server to tcp port 80 before
dropping privs.
3. It is easy to be an admin on a *nix box now. Originally admins formed
a small largely trusted clique so restricting low ports to them
potentially implied some trust in the service.
[1] User "nobody" may be excluded from this on some OSes.
Cheers,
Rob
--
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Ph: +1-416-669-3073 Email: rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
Contributing Member of Software in the Public Interest http://www.spi-inc.org
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list