Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Vincent Danen (vdanenmandrakesoft.com)
Date: Fri Dec 14 2001 - 14:46:19 CST
On Fri Dec 14, 2001 at 09:28:42AM -0000, Thomas Mangin, Personal wrote:
> Could Mandrake start using the capacities (right name ?), the idea being to
> not have any more suid application anymore giving normal user the right to
> bind to specific low port or read some root owned files.
> Or alternatively, would it be possible to modify the kernel in such way that
> all user with UID < 100 can bind to the port < 1024 and run Deamons with a
> UID < 100 ??
What apps allow users to bind to privileged ports? I don't know of
any... for instance, most servers start as root to bind to the port
then drop prives to their user (ie. apache, etc.). I'm not aware of
any normal "user" programs that can be used for this that are suid.
> I do not know what kind of compatibility it would break or what are the
> As well it is perhaps possible to SUID applications which need to be suid as
> an other user than root.
I think this would be a big change, maybe too big. A better idea
would be to incorporate something like LIDS into the kernel to provide
this sort of security.
I do think an suid audit is in order, however some apps do need to be
suid. Two that come to mind that must be suid are openssh and gpg.
-- MandrakeSoft Security, OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD
Current Linux kernel 2.4.8-34.1mdk uptime: 24 days 22 hours 12 minutes.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE8GmUbIEPQ5f5vKv0RAmY0AJ9hRlqNEAtVpNYMmRJKkZjYl8pLvgCgoj1P bNdFEbtvtR6WAPHSC5whR30= =GMzP -----END PGP SIGNATURE-----