Non-root processes using registered ports

James Gray james at grayonline.id.au
Fri Mar 10 01:14:45 UTC 2006


On Thursday 09 March 2006 19:50, Billy Verreynne (JW) wrote:
> Reinhard Tartler wrote:
> > If you are really after security, it may be worth in looking into
> > SELinux, (maybe AppArmour as well, but I havn't looked at that yet).
> > Both are kernel patches though.
>
> Thanks Reinhard. But I'm stuck with RHES as these are "certified"
> platforms.

RHES/RHEL (are they the same?) come with SELinux already configured.  Whether 
or not it's actually running is merely a configuration issue.  No patching or 
recompiling kernels required

As Reinhard Tartler has already said, any programmer worth their salt should 
be able to bind to a privileged socket as root before dropping privs, and any 
admin worth their salt should understand that apps designed in this fashion 
largely avoid the "running as root" problems and to binding as root doesn't 
in itself open any security issues.

What admins want is privilege separation: ie, nothing should run as root 
unless there is absolutely no other option - including daemons and server 
processes.  If nothing could do the "root bind-to-socket, then drop privs" 
routine, you'd have a pretty odd setup!

Sounds like your problem is political, not technical :P  Good luck with that - 
my idea of politics is to use terms like "cancel your account" or "sign you 
up to pr0n spam"....I'm NOT a politician :P

Good luck.

James
-- 
The price of seeking to force our beliefs on others is that someday
they might force their beliefs on us.
		-- Mario Cuomo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060310/1f04f9dc/attachment.pgp>


More information about the ubuntu-users mailing list