undefined | Better HN

0 pointssimoncion10y ago0 comments

> But privileged ports are too course...

I agree that there are situations that not-infrequently arise that require additional IP port access restrictions. However, do you agree that removing the notion of privileged ports [0] would

1) Not give you the more-fine grained access restrictions that you're looking for

2) Actually weaken security on Linux systems

? (Additionally, GRSecurity, SELinux, and -apparently- AppArmor all appear to provide the finer-grained control that you're looking for. There is also this [1] which lets you do something like what Windows Firewall does and use iptables to restrict which uid/gids can do certain types of IP communication.)

[0] That is to say, remove the restriction that one must run as root to bind to ports < 1024.

[1] https://www.debian-administration.org/article/120/Applicatio... [2]

[2] Even though the kconfig option has changed names, it appears to serve the same function (see the Owner section of [3])

[3] http://ipset.netfilter.org/iptables-extensions.man.html

0 comments

parenthephobia10y ago

> I agree that there are situations that not-infrequently arise that require additional IP port access restrictions.

They arise quite frequently if you're running non-standard network services.

I have a service that I don't want to run as a root user, even temporarily, and therefore it needs to bind to a non-privileged port. In principle, another service could bind to the same port if it goes down.

> However, do you agree that removing the notion of privileged ports...

I'm not convinced people are suggesting only removing the privileged port restriction, but rather replacing it with something more flexible.

Just being able to lock ports down to a uid would suffice for many use cases and could work the same way as the legacy system by default, with ports <1024 reserved for root and other ports not reserved. Then, e.g.

# echo "8080 <MYUID>" > /proc/sys/net/ipv4/conf/all/portsec/register

and no-one but me can bind to 8080 on any interface.

Of course there are more extensive proposed solutions, but this would solve every problem I've ever had with binding to a privileged (or not) port.

> There is also this which lets you do something like what Windows Firewall does and use iptables to restrict which uid/gids can do certain types of IP communication

That's only a solution if I can bind to the port in the first place, and in a way that doesn't open me up to having my port hijacked by some other process, like on Windows.

mappu10y ago

>Just being able to lock ports down to a uid would suffice for many use cases and could work the same way as the legacy system by default, with ports <1024 reserved for root and other ports not reserved. Then, e.g. # echo "8080 <MYUID>" > /proc/sys/net/ipv4/conf/all/portsec/register

It can be done in userspace with `authbind` (based on some LD_PRELOAD magic).

    # apt-get install authbind
    # echo '0.0.0.0,8080-8081' >> /etc/authbind/byuid/$(id -u $TARGETUSER)

Then as user:

    $ authbind my-daemon

j / k navigate · click thread line to collapse