Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Ports 0-1023?

Re: Ports 0-1023?

From: Blue Boar <BlueBoar_at_thievco.com>
Date: Thu, 04 Jul 2002 21:06:44 -0700

Brian Hatch wrote:
>>For something like a telnetd,
>>or sshd that uses PAM.... in order to drop to a shell as the uid of the
>>authenticated user, do they really need root?
>
> You need *something* that's running as root. It may not be the process
> itself, but there must be something that can hand off a new UID. Take
> suexec, part of Apache. It's a suid executable that has a quite rigid
> set of conditions that must be correct for it to run a CGI as a
> different user. The most important rule being that the suexec program
> is only called from the webserver user, which is specified at suexec
> compile time.
>
> Something like this would be needed for user 'telnetd' to let you
> log in as you, instead of it.

I've never looked at the su source, but that's pretty much exactly what I
had in mind.

>>If you have the
>>authentication information for the user, then you could call the system
>>call equivalent of su, right?
>
>
> If you have the password, sure, you could do something like that. But
> many authentication schemes (ssh identities, challenge/response, etc)
> do not offer you the actual password, so you're stuck getting a
> different UID by some setuid() call.

Which is why I specifically mention PAM. I realize that not every single
authentication scheme will have a system-wide equivalent. Notably, the key
form of SSH authentication, which I forgot to mention before, and which one
subscriber reminded me about off-list.

It seems like a good idea to me to keep as much of the authentication code
in one place as possible, and let programs call that. At present, that
seems to be PAM. Just seems a better idea than letting each program
reimplement the same thing, and having that many more opportunities to get
it wrong.

>>What would be wrong with doing things this way (other than having to code
>>it)?
> You're traiding UID root for suid root helper programs. Now whether
> this is 'wrong' or not depends on your thinking.

I'm also trying to enable daemons that don't really need to be root at all,
the ones that only wanted root in order to bind to a low port (save of
course that at present the DO have to be root at least part of the time to
ge the low port). Add to that some daemons that also needed root to
authenticate people.. and could just do so through PAM, and you might make
a dent in reducing the amount of code run as root.

Thanks for the comments.

                                                        BB
Received on Jul 05 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos