Loading ...
Sorry, an error occurred while loading the content.

Re: [TwinCLinG] uid 0 for ports < 1024 -- why ?

Expand Messages
  • ramana
    ... There is another side to it. What if some non root programme (i.e. all those programmes which are run by every others) hijacked all ports
    Message 1 of 15 , Dec 9, 2001
    • 0 Attachment
      >
      > But then, why does apache need uid 0 for ?
      > and why are ports < 1024 need uid 0 -- the reason
      > for this is
      > history -- long ago, the unix servers used to have
      > large number
      > of non-root users and not everybody was supposed to
      > listen to
      > these ports, for various reasons. But this is no
      > longer the case
      > in >75% of the servers. I am the only user on my
      > server.
      >
      > and so in the present day case, it more beneficial
      > to allow
      > non-root users to bind to all the ports -- leaving
      > less security
      > holes.
      >
      > What are your opinions ?
      >
      >
      > Santosh
      >

      There is another side to it.

      What if some non root programme (i.e. all those
      programmes which are run by every others) hijacked all
      ports<1024?

      Other possibilities are much more dangerous. For
      example some worm immitating some standard service
      and at the same time stealing some sensitive
      information. Since the work can be run by any user!

      by
      ramana



      __________________________________________________
      Do You Yahoo!?
      Send your FREE holiday greetings online!
      http://greetings.yahoo.com
    • Santosh Cheler
      ... If that is a third-party (untrusted?) programme, then even root can be fooled. ... But tell me how many unix servers have non-root users. Machines today
      Message 2 of 15 , Dec 9, 2001
      • 0 Attachment
        >From: ramana <rmn_ilughyd@...>
        >There is another side to it.
        >
        > What if some non root programme (i.e. all those
        >programmes which are run by every others) hijacked all
        >ports<1024?
        >

        If that is a third-party (untrusted?) programme, then even
        root can be fooled.


        > Other possibilities are much more dangerous. For
        >example some worm immitating some standard service
        >and at the same time stealing some sensitive
        >information. Since the work can be run by any user!
        >

        But tell me how many unix servers have non-root users.

        Machines today are not shared. They are owned and used
        by single entities, and for server machines (like
        www.yahoo.com) the only people with access to the machine are ones who
        already have root access. Either you trust the machine and all of its
        sysadmins and users, or you don't.

        ~Santosh

        >by
        >ramana
        >
        >
        >
        >__________________________________________________
        >Do You Yahoo!?
        >Send your FREE holiday greetings online!
        >http://greetings.yahoo.com

        _________________________________________________________________
        Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
      • Suresh Ramasubramanian
        ... Man, try a system where there are free shell accounts (like arbornet.org for example). Or try a system which gives webmail access (with apache running as
        Message 3 of 15 , Dec 9, 2001
        • 0 Attachment
          +++ Santosh Cheler [10/12/01 04:26 +0000]:
          > But tell me how many unix servers have non-root users.
          >
          > Machines today are not shared. They are owned and used
          > by single entities, and for server machines (like
          > www.yahoo.com) the only people with access to the machine are ones who
          > already have root access. Either you trust the machine and all of its
          > sysadmins and users, or you don't.

          Man, try a system where there are free shell accounts (like arbornet.org for
          example). Or try a system which gives webmail access (with apache running as
          a non privileged user). Or in fact, try a system which gives webhosting on a
          shared unix server, and also ssh (or even telnet) access to its users.

          Now you were saying? ....

          -srs

          --
          Suresh Ramasubramanian + suresh <@> kcircle.com
          Friday@... + http://www.kcircle.com
        • Nick Hill
          On Mon, Dec 10, 2001 at 04:26:11AM +0000, Santosh Cheler wrote: But tell me how many unix servers have non-root users. Machines today are not shared.
          Message 4 of 15 , Dec 10, 2001
          • 0 Attachment
            On Mon, Dec 10, 2001 at 04:26:11AM +0000, Santosh Cheler wrote:
            >
            > But tell me how many unix servers have non-root users.
            >
            > Machines today are not shared. They are owned and used
            > by single entities, and for server machines (like
            > www.yahoo.com) the only people with access to the machine are ones who
            > already have root access. Either you trust the machine and all of its
            > sysadmins and users, or you don't.
            >

            huh? i thought the transition of OSen was from DOS->Windows->UNIX. The
            multiuser-ness of the system increases in that order. Since when are we
            going the other way? Dont tell me, you log in as r00t while on u're system
            all the time. If all you're using is a Desktop PC, that wouldn't matter, altho
            i dont log in as r00t till absolutely necessary, even on my desktop pc.

            you dont trust anyone, bud. as suresh has mentioned, shell accounts, pop3 boxen,
            et al _survive_ on multi-user access. If i dont have user access, how about
            running BIND as r00t, and i cause a buffer overflow from a remote host, and you
            wont even know what hit you, cuz i'll be rm -rf'ing / wee! There goes all yer
            pr0n! :P

            Most of the computers are used as servers on the 'net. Heck, what else can they
            be used for. From what u're trying to say, authentication should be a thing of
            the past. So, all boxen on the net shuld either be totall-closed or totally-open
            eh?

            Where's the salt? I need a grain.

            Nikhil.


            --
            Nikhil Shankar (nikhilwiz at yahoo.com)

            Slackware Linux http://www.slackware.com/
            I guess that's why people care: Simplicity is Divine.

            _________________________________________________________
            Do You Yahoo!?
            Get your free @... address at http://mail.yahoo.com
          • Santosh Cheler
            ... Cool man, have patience. Again, let me remind you, I am talking about servers used for serious business, not the ones in the universities labs. btw, I am
            Message 5 of 15 , Dec 10, 2001
            • 0 Attachment
              >From: Nick Hill <nikhilwiz@...>
              >Reply-To: ilughyd@yahoogroups.com
              >To: ilughyd@yahoogroups.com
              >Subject: Re: [TwinCLinG] uid 0 for ports < 1024 -- why ?
              >Date: Mon, 10 Dec 2001 14:06:03 +0530
              >
              >On Mon, Dec 10, 2001 at 04:26:11AM +0000, Santosh Cheler wrote:
              > >
              > > But tell me how many unix servers have non-root users.
              > >
              > > Machines today are not shared. They are owned and used
              > > by single entities, and for server machines (like
              > > www.yahoo.com) the only people with access to the machine are ones who
              > > already have root access. Either you trust the machine and all of its
              > > sysadmins and users, or you don't.
              > >
              >
              >huh? i thought the transition of OSen was from DOS->Windows->UNIX. The
              >multiuser-ness of the system increases in that order. Since when are we
              >going the other way? Dont tell me, you log in as r00t while on u're system
              >all the time. If all you're using is a Desktop PC, that wouldn't matter,
              >altho
              >i dont log in as r00t till absolutely necessary, even on my desktop pc.
              >


              Cool man, have patience. Again, let me remind you, I am talking about
              servers
              used for serious business, not the ones in the universities' labs.
              btw, I am not a newbie(not an expert either), and I dont work as root
              all the time -- it requires proper control over your mind :-)


              >you dont trust anyone, bud. as suresh has mentioned, shell accounts, pop3
              >boxen,
              >et al _survive_ on multi-user access. If i dont have user access, how about
              >running BIND as r00t, and i cause a buffer overflow from a remote host, and
              >you
              >wont even know what hit you, cuz i'll be rm -rf'ing / wee! There goes all
              >yer
              >pr0n! :P
              >


              why root ? use a dummy user, no problems with this.

              >Most of the computers are used as servers on the 'net. Heck, what else can
              >they
              >be used for. From what u're trying to say, authentication should be a thing
              >of
              >the past. So, all boxen on the net shuld either be totall-closed or
              >totally-open
              >eh?
              >
              >Where's the salt? I need a grain.

              checkup your taste buds with a doctor :-)


              Santosh.


              >
              >Nikhil.
              >
              >
              >--
              >Nikhil Shankar (nikhilwiz at yahoo.com)
              >
              >Slackware Linux http://www.slackware.com/
              >I guess that's why people care: Simplicity is Divine.
              >
              >_________________________________________________________
              >Do You Yahoo!?
              >Get your free @... address at http://mail.yahoo.com
              >

              _________________________________________________________________
              Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
            • Nick Hill
              On Mon, Dec 10, 2001 at 09:47:22AM +0000, Santosh Cheler wrote: Cool man, have patience. Again, let me remind you, I am talking about servers used for
              Message 6 of 15 , Dec 10, 2001
              • 0 Attachment
                On Mon, Dec 10, 2001 at 09:47:22AM +0000, Santosh Cheler wrote:
                > Cool man, have patience. Again, let me remind you, I am talking about
                > servers
                > used for serious business, not the ones in the universities' labs.
                > btw, I am not a newbie(not an expert either), and I dont work as root
                > all the time -- it requires proper control over your mind :-)
                >

                have you heard of virtual hosting? yes, the servers are used for "serious
                business". Most of the virtual hosting guys give out shell (ftp/ssh)
                access for ppl. like u and me to upload stuff onto our website. I dont need
                to mention the outcome, if all the customers who have hosted their website
                with the particular webhosting service, are given root access. i rest my
                case.

                > why root ? use a dummy user, no problems with this.
                >

                how many dummy users? do you suggest i use the same "dummy user" for apache,
                BIND, sendmail, etc.? i exploit one of these apps, and whoa! i have access
                to the rest. neat.

                > checkup your taste buds with a doctor :-)
                >

                The last i checked, they're just fine. trust me on that.

                Nikhil.

                --
                Nikhil Shankar (nikhilwiz at yahoo.com)

                Slackware Linux http://www.slackware.com/
                I guess that's why people care: Simplicity is Divine.

                _________________________________________________________
                Do You Yahoo!?
                Get your free @... address at http://mail.yahoo.com
              • Suresh Ramasubramanian
                ... Tell you what, we run servers with ~ 20 million webmail users. ... That s right. However we wouldnt want to try what you suggest. ... Then once I gain
                Message 7 of 15 , Dec 10, 2001
                • 0 Attachment
                  +++ Santosh Cheler [10/12/01 09:47 +0000]:
                  > Cool man, have patience. Again, let me remind you, I am talking about
                  > servers
                  > used for serious business, not the ones in the universities' labs.

                  Tell you what, we run servers with ~ 20 million webmail users.

                  > btw, I am not a newbie(not an expert either), and I dont work as root
                  > all the time -- it requires proper control over your mind :-)

                  That's right. However we wouldnt want to try what you suggest.

                  > why root ? use a dummy user, no problems with this.

                  Then once I gain control of that dummy user, I can run some local root
                  exploit and get root.

                  --
                  Suresh Ramasubramanian + suresh <@> kcircle.com
                  Friday@... + http://www.kcircle.com
                • Santosh Cheler
                  ... user stuff hosting is something we will have to think about, but atleast there will not be root exploits anymore. All I am trying to say is there are more
                  Message 8 of 15 , Dec 10, 2001
                  • 0 Attachment
                    >From: Nick Hill <nikhilwiz@...>
                    >business". Most of the virtual hosting guys give out shell (ftp/ssh)
                    >access for ppl. like u and me to upload stuff onto our website. I dont need
                    >to mention the outcome, if all the customers who have hosted their website
                    >with the particular webhosting service, are given root access. i rest my
                    >case.
                    >

                    user stuff hosting is something we will have to think about, but atleast
                    there will not be root exploits anymore. All I am trying to say is there
                    are more downsides than upsides bcoz of this restriction. Probably, details
                    have to worked out in more depth.


                    > > why root ? use a dummy user, no problems with this.
                    > >
                    >
                    >how many dummy users? do you suggest i use the same "dummy user" for
                    >apache,
                    >BIND, sendmail, etc.? i exploit one of these apps, and whoa! i have access
                    >to the rest. neat.
                    >


                    yeah, possibly different users...this way they are, at the least, miles
                    away
                    from the nuclear root.

                    _________________________________________________________________
                    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
                  • Nick Hill
                    On Mon, Dec 10, 2001 at 10:17:09AM +0000, Santosh Cheler wrote: user stuff hosting is something we will have to think about, but atleast there will not be
                    Message 9 of 15 , Dec 11, 2001
                    • 0 Attachment
                      On Mon, Dec 10, 2001 at 10:17:09AM +0000, Santosh Cheler wrote:
                      > user stuff hosting is something we will have to think about, but atleast
                      > there will not be root exploits anymore. All I am trying to say is there
                      > are more downsides than upsides bcoz of this restriction. Probably, details
                      > have to worked out in more depth.
                      >

                      you dont stop riding a vehicle on the road just cuz the roads these days are
                      very accident prone. That's the not the idea. You improve the safety standards.
                      You put on seat belts, helmets et al.

                      You need to improve the security consciousness of admins, and force them to
                      implement better security in a public machine. if all multi-user boxen around
                      the world were to be turned into single user r00t-owned systems, we might as
                      well pack our bags, ang get back to good ol' win3.1/DOS, and what's this *nix
                      thingy anywayz? :)

                      Most importantly, the BOFH wouldn't exist without multi-user systems. How are
                      sysadmins s'posed to achieve their BOFH dream, if no users were let in? :D

                      > yeah, possibly different users...this way they are, at the least, miles
                      > away
                      > from the nuclear root.
                      >

                      applications are only half the picture. UNIX is designed to support many users.
                      It is also for preventing users from launching attacks against other users on
                      the same system. Have you ever heard of sotware development? CVS? Xterms? Since,
                      you claim not to be a newbie, I think i'll save some bytes, by not detailing
                      stuff. Supporting multiple users on an OS has a _lot_ of merits. Dont shy
                      away from security. Take it in your path, and implement it.

                      'nuff said.

                      Nikhil.


                      --
                      Nikhil Shankar (nikhilwiz at yahoo.com)

                      Slackware Linux http://www.slackware.com/
                      I guess that's why people care: Simplicity is Divine.

                      _________________________________________________________
                      Do You Yahoo!?
                      Get your free @... address at http://mail.yahoo.com
                    • ramana
                      ... Both methods definetly have some serious drawbacks. Instead of wasting time about which method is good, It is better to concentrate on improving security
                      Message 10 of 15 , Dec 11, 2001
                      • 0 Attachment
                        --- Santosh Cheler <csk4you@...> wrote:

                        >
                        > But then, why does apache need uid 0 for ?
                        > and why are ports < 1024 need uid 0 -- the reason
                        > for this is
                        > history -- long ago, the unix servers used to have
                        > large number
                        > of non-root users and not everybody was supposed to
                        > listen to
                        > these ports, for various reasons. But this is no
                        > longer the case
                        > in >75% of the servers. I am the only user on my
                        > server.
                        >
                        > and so in the present day case, it more beneficial
                        > to allow
                        > non-root users to bind to all the ports -- leaving
                        > less security
                        > holes.
                        >
                        > What are your opinions ?
                        >
                        >
                        > Santosh
                        >

                        Both methods definetly have some serious drawbacks.

                        Instead of wasting time about which method is good, It
                        is better to concentrate on improving security in
                        existing practise.

                        Most of the security break-downs are due to the
                        ignorance of adminstartors.

                        by
                        ramana


                        __________________________________________________
                        Do You Yahoo!?
                        Check out Yahoo! Shopping and Yahoo! Auctions for all of
                        your unique holiday gifts! Buy at http://shopping.yahoo.com
                        or bid at http://auctions.yahoo.com
                      • Santosh Cheler
                        Right in my first mail, I have restricted the discussion to yahoo like servers, where we do not expect shell users. I dont know why are digressing from this. I
                        Message 11 of 15 , Dec 11, 2001
                        • 0 Attachment
                          Right in my first mail, I have restricted the discussion to
                          yahoo like servers, where we do not expect shell users. I dont
                          know why are digressing from this.

                          I do not even understand why you think linux minus multiuser
                          capabilities is equivalent to windows 3.1/95/98. Note that I
                          did not mean to remove the multiuser capabilities, but just
                          not to use them.

                          I am just exploring this idea, and wanted your comments as I too
                          was/am not confident about it. I am convinced only with suresh's
                          comment about local root exploits.


                          Santosh

                          _________________________________________________________________
                          Join the world�s largest e-mail service with MSN Hotmail.
                          http://www.hotmail.com
                        • Nick Hill
                          On Wed, Dec 12, 2001 at 06:18:18AM +0000, Santosh Cheler wrote: Right in my first mail, I have restricted the discussion to yahoo like servers, where we do
                          Message 12 of 15 , Dec 12, 2001
                          • 0 Attachment
                            On Wed, Dec 12, 2001 at 06:18:18AM +0000, Santosh Cheler wrote:
                            > Right in my first mail, I have restricted the discussion to
                            > yahoo like servers, where we do not expect shell users. I dont
                            > know why are digressing from this.
                            >

                            hmm, i was thinking on similiar lines. The reason we "digressed" from
                            the topic on hand is cuz you said "Either you trust the machine and all of its
                            sysadmins and users, or you don't." That's where the thread branched
                            off.

                            > I do not even understand why you think linux minus multiuser
                            > capabilities is equivalent to windows 3.1/95/98. Note that I
                            > did not mean to remove the multiuser capabilities, but just
                            > not to use them.
                            >
                            > I am just exploring this idea, and wanted your comments as I too
                            > was/am not confident about it. I am convinced only with suresh's
                            > comment about local root exploits.
                            >

                            local root exploits can take place only if you allow a shell. Since
                            you dont plan to do that, you might be saved from that. But then,
                            there could also be a remote-local combo that can be done. exploit
                            a remote exploit to gain user access, and then run local exploit code
                            using the remote stackframe/code/et al. And, yes, this is sorta tough.
                            Atleast its not a 5cr1pt k1d133 thing. phew!

                            I'd still stick to a stronger security policy. Having different uid/gid
                            gives a lot of flexibility. If you're not in a mood to use them, go
                            ahead, but I dont think it'll be a pleasant drive.

                            Besides, if i have a remote exploit to your dummy user, and according to
                            your policy of allowing users to listen on ports <1024, i can make the
                            server listen on an alternate port (how about port 80? ;), and make your
                            webserver (apache) refuse to start up.

                            your idea of allowing everyone on ports <1024 could prove to be a security
                            nightmare. You're losing out on the security provided in the system, and
                            are planning to replace it by human intervention. There's more than you
                            think about a multi-user system, and security comes on top.

                            Nikhil.

                            --
                            Nikhil Shankar (nikhilwiz at yahoo.com)

                            Slackware Linux http://www.slackware.com/
                            I guess that's why people care: Simplicity is Divine.

                            _________________________________________________________
                            Do You Yahoo!?
                            Get your free @... address at http://mail.yahoo.com
                          • Santosh Cheler
                            ... agreed. ... This doesnt make sense in the present context as it (blocking apache) can be done even otherwise. Here is somebody else s comments in a
                            Message 13 of 15 , Dec 12, 2001
                            • 0 Attachment
                              >From: Nick Hill <nikhilwiz@...>
                              >local root exploits can take place only if you allow a shell. Since
                              >you dont plan to do that, you might be saved from that. But then,
                              >there could also be a remote-local combo that can be done. exploit
                              >a remote exploit to gain user access, and then run local exploit code
                              >using the remote stackframe/code/et al. And, yes, this is sorta tough.
                              >Atleast its not a 5cr1pt k1d133 thing. phew!
                              >


                              agreed.



                              >I'd still stick to a stronger security policy. Having different uid/gid
                              >gives a lot of flexibility. If you're not in a mood to use them, go
                              >ahead, but I dont think it'll be a pleasant drive.
                              >
                              >Besides, if i have a remote exploit to your dummy user, and according to
                              >your policy of allowing users to listen on ports <1024, i can make the
                              >server listen on an alternate port (how about port 80? ;), and make your
                              >webserver (apache) refuse to start up.
                              >


                              This doesnt make sense in the present context as it (blocking apache)
                              can be done even otherwise.




                              Here is somebody else's comments in a different mailing list:

                              Yes, there are plenty of local root exploits in Linux. There has even
                              been one in OpenBSD. Local root exploits are a fact of life in
                              non-trusted systems such as OpenBSD and Linux.

                              In your post you sugest that if I were running the web server as
                              non-root, and it had a buffer overflow or similar vulnerability, the
                              hack process would be this:

                              1. Hack into web server process.

                              2. Run local -> root exploit.

                              3. Done.

                              In the case where the server is running as root (which is the case on
                              all *UNIX things right now), the process looks like this:

                              1. Hack into web server process.

                              2. Done.

                              Your comment above basicly proves my point that we get better security
                              if we allow non-root stuff to bind to low ports. The reason why this
                              is such a big deal is that Step 2 (Run local -> root exploit) is an
                              extra barrier and it can be very very difficult barrier on some OSes,
                              such as OpenBSD or a well-configured Linux system. In its years of
                              existence, OpenBSD has had only one local -> root exploit.

                              On the subject of local -> root exploits, they are mostly caused by
                              SUID processes, like sendmail or "trivial" things like lpd or at. If
                              you want your server to be secure, audit the system for suid files and
                              turn off all that aren't absolutely necessary. This goes a long way.
                              Btw, there would be a lot _less_ suid stuff on systems if non-root
                              could bind to low ports. This would also prevent some local attacks.

                              Basically security design is hard to understand and few people
                              understand it. People who don't understand it often think that "more
                              restrictions means more secure", which is often incorrect, because it
                              often means that you need to run ordinary stuff at higher permission
                              levels to get around these restrictions, and that's bad. People who
                              understand security design think more in terms of comparentalization
                              and auditing than in terms of generic restrictions.

                              Trusted systems like EROS, Trusted BSD and SE Linux are based on this
                              idea. Root is the root of all evil, and so these three systems solve
                              the problem by not having root.

                              This may sound strange, but that actually makes the systems _easier_
                              to use.

                              Just for completeness, here is how the above attack would look on a
                              Trusted BSD system:

                              1. Hack into web server process.

                              2. Serve your own "| 0\^//\/ 7H|S S|73!!" message.

                              3. That's all you can do. Oh, and it's all audited.



                              _________________________________________________________________
                              Chat with friends online, try MSN Messenger: http://messenger.msn.com
                            • Nick Hill
                              On Thu, Dec 13, 2001 at 04:18:01AM +0000, Santosh Cheler wrote: In the case where the server is running as root (which is the case on all *UNIX things
                              Message 14 of 15 , Dec 13, 2001
                              • 0 Attachment
                                On Thu, Dec 13, 2001 at 04:18:01AM +0000, Santosh Cheler wrote:
                                > In the case where the server is running as root (which is the case on
                                > all *UNIX things right now), the process looks like this:
                                >
                                > 1. Hack into web server process.
                                >
                                > 2. Done.
                                >

                                nope. that's _not_ the case. the webserver doesn't run as root. it changes its
                                uid and euid when spawning a new process to handle a connection. Even if you
                                exploit the webserver, all you get is the "dummy" user used. check this out:

                                $ ps auxw|grep httpd
                                root 84 0.0 1.4 40788 3648 ? S 20:34 0:00 /usr/sbin/httpd
                                nobody 107 0.0 1.4 40812 3640 ? S 20:34 0:00 /usr/sbin/httpd

                                the process is started by r00t, and then each process spawned to handle a
                                new connection is forced to change its uid/gid and euid/egid to the one
                                specified in the config file:

                                User nobody
                                Group nobody

                                so, even if you exploit the webserver, you dont have r00t. about your comment
                                on sendmail, the recent versions dont need r00t, too. the setuid/setgid method
                                ensures that the service ports (0-1024) can still be started by root, and still
                                remain secure, if they're exploited, because the attacker doesn't get root
                                access, anywayz. get the idea? :)

                                so, where does that leave us now?

                                Nikhil.

                                --
                                Nikhil Shankar (nikhilwiz at yahoo.com)

                                Slackware Linux http://www.slackware.com/
                                I guess that's why people care: Simplicity is Divine.

                                _________________________________________________________
                                Do You Yahoo!?
                                Get your free @... address at http://mail.yahoo.com
                              Your message has been successfully submitted and would be delivered to recipients shortly.