[Zope] Starting Zope

Cary O'Brien cobrien@Radix.Net
Mon, 31 Jul 2000 09:55:16 -0400 (EDT)


> 
> Interesting argument. However, consider this: if you completely trust your
> 'firewalled' box, then why not run the web server as root? One response,

Protection of the system from simple mistakes by trusted users?  Also
root can do a lot more, such as putting interfaces into promiscious
mode.  So the idea is to just lift the bind-to-low-ports check.

> in your case is the fact that you mention your trust on users(humans are
> the most easy to compromise, however that argument is a bit OT). However,
> do you trust all of your webserver code? Do you trust your cgi-bin
> scripts and applications? And by trust I not only mean harmful intent by
> the authors of software, but unintentional bugs which can be exploited,
> and will be given the privilege to bind to <1024 ports even when they run
> as a user with least privileges.
> 

My revised thinking is that the patch should only lift the restriction
for just the necessary ports.  

Another idea is to do it with groups, say let group n be a "net-privileged" group.


-- cary

> Just my opinion.
> 
> nitesh.
> 
> 
> On Sun, 30 Jul 2000, Cary O'Brien wrote:
> 
> > > Cary O'Brien wrote:
> > > 
> > > > Well...
> > > > 
> > > > If you are running on Linux you could simply edit the kernel code to
> > > > elimitate the check on being root to bind to low ports.  That's what
> > > > we did.
> > > 
> > > Which is an even worse idea.
> > > 
> > 
> > Why?  On a sufficiently firewalled off box, where the few logins are
> > completly trusted, what's the diff?  If you were worried about people
> > cracking a user account and getting underneath telnet, than limit the
> > lifting of the restriction to port 80.  If you are concerned that
> > non-root users could launch attacks from low ports at other machines,
> > assuming that only good guys can come from low ports is pretty naive.
> > 
> > The whole business about not letting anyone but root bind to low ports
> > makes sense for a public access machine where all the first year
> > engineering students have an account, but for a dedicated application
> > server it is kind of misdirected.  You ought to be running next to
> > nothing but the application, and you had better trust everyone that
> > you give a login to, and you out to have the thing locked
> > down/firewalled well.  So the tiny bit of possible protection may not
> > be worth the hassle/risks of writing your own suid-wrapper, or the
> > complexity of having a redirect and messing with site-access so that
> > the port numbers in the zope -- what it is that parameter -- base or
> > whatever, comes out write.
> > 
> > Just for fun - does NT have the same restriction?
> > 
> > -- cary
> > 
> > _______________________________________________
> > Zope maillist  -  Zope@zope.org
> > http://lists.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists - 
> >  http://lists.zope.org/mailman/listinfo/zope-announce
> >  http://lists.zope.org/mailman/listinfo/zope-dev )
> > 
> > 
> 
> 
> 
> --__--__--
>