Interesting argument. However, consider this: if you completely trust your 'firewalled' box, then why not run the web server as root? One response,
Protection of the system from simple mistakes by trusted users? Also root can do a lot more, such as putting interfaces into promiscious mode. So the idea is to just lift the bind-to-low-ports check.
in your case is the fact that you mention your trust on users(humans are the most easy to compromise, however that argument is a bit OT). However, do you trust all of your webserver code? Do you trust your cgi-bin scripts and applications? And by trust I not only mean harmful intent by the authors of software, but unintentional bugs which can be exploited, and will be given the privilege to bind to <1024 ports even when they run as a user with least privileges.
My revised thinking is that the patch should only lift the restriction for just the necessary ports. Another idea is to do it with groups, say let group n be a "net-privileged" group. -- cary
Just my opinion.
nitesh.
On Sun, 30 Jul 2000, Cary O'Brien wrote:
Cary O'Brien wrote:
Well...
If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did.
Which is an even worse idea.
Why? On a sufficiently firewalled off box, where the few logins are completly trusted, what's the diff? If you were worried about people cracking a user account and getting underneath telnet, than limit the lifting of the restriction to port 80. If you are concerned that non-root users could launch attacks from low ports at other machines, assuming that only good guys can come from low ports is pretty naive.
The whole business about not letting anyone but root bind to low ports makes sense for a public access machine where all the first year engineering students have an account, but for a dedicated application server it is kind of misdirected. You ought to be running next to nothing but the application, and you had better trust everyone that you give a login to, and you out to have the thing locked down/firewalled well. So the tiny bit of possible protection may not be worth the hassle/risks of writing your own suid-wrapper, or the complexity of having a redirect and messing with site-access so that the port numbers in the zope -- what it is that parameter -- base or whatever, comes out write.
Just for fun - does NT have the same restriction?
-- cary
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
--__--__--