Non-root processes using registered ports
James Gray
james at grayonline.id.au
Fri Mar 10 01:14:45 UTC 2006
On Thursday 09 March 2006 19:50, Billy Verreynne (JW) wrote:
> Reinhard Tartler wrote:
> > If you are really after security, it may be worth in looking into
> > SELinux, (maybe AppArmour as well, but I havn't looked at that yet).
> > Both are kernel patches though.
>
> Thanks Reinhard. But I'm stuck with RHES as these are "certified"
> platforms.
RHES/RHEL (are they the same?) come with SELinux already configured. Whether
or not it's actually running is merely a configuration issue. No patching or
recompiling kernels required
As Reinhard Tartler has already said, any programmer worth their salt should
be able to bind to a privileged socket as root before dropping privs, and any
admin worth their salt should understand that apps designed in this fashion
largely avoid the "running as root" problems and to binding as root doesn't
in itself open any security issues.
What admins want is privilege separation: ie, nothing should run as root
unless there is absolutely no other option - including daemons and server
processes. If nothing could do the "root bind-to-socket, then drop privs"
routine, you'd have a pretty odd setup!
Sounds like your problem is political, not technical :P Good luck with that -
my idea of politics is to use terms like "cancel your account" or "sign you
up to pr0n spam"....I'm NOT a politician :P
Good luck.
James
--
The price of seeking to force our beliefs on others is that someday
they might force their beliefs on us.
-- Mario Cuomo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060310/1f04f9dc/attachment.sig>
More information about the ubuntu-users
mailing list