Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: Demo patch - run telnetd as non-root and chroot()'ed
From: Pavel Kankovsky (peakargo.troja.mff.cuni.cz)
Date: Fri Jul 21 2000 - 04:23:19 CDT

On Thu, 20 Jul 2000, Kragen Sitaker wrote:

> - "portmap" is running as user "bin". It should probably be in a
> different group.

Portmap should die.

> - "syslogd" is running as root. Why? So it can listen on /dev/log?

So and so it can listen 514/udp *ducking and running for cover*

> - "atd" is running as "daemon". Bravo for Red Hat. Why doesn't it
> have a userid of its own? Isn't "atd" one of the canonical
> applications for userv?

AFAIK, it has ruid daemon and euid root or vice versa. Ergo, it is running
as root (for the same reason crond runs as root) but it tries to hide it.

> - "inetd" is running as root so it can bind to low ports.

...and invoke programs that need to run as root and other users.

> - "mingetty" is running as root for no obvious reason. Can someone
> enlighten me?

It needs to start login.

> - Apache is running as root so it can bind to port 80 and become nobody.

Only the "supervisor" process runs as root and it makes some sense because
children cannot mess with it.

> The ideal situation would be that each daemon runs as a different uid
> in a different chrooted area.

Ideally, each INSTANCE should run in its own compartment (uid + chroot).
For instance, if Chris' telnetd patch is used, and all telnetd instances
run under the same uid, a compromised telnetd process can ptrace() (at
least unless some setcap() magic or something similar is used) other
instances and manipulate with them (read passwords, insert commands).

> Hardlinks make this fairly cheap, spacewise...

...both on disk and in memory (readonly mmaps of a hardlinked file can
share pages).

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."