Vulnerability Development mailing list archives
Re: Ports 0-1023?
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 4 Jul 2002 14:41:14 -0400 (EDT)
On 4 Jul 2002, Dave Aitel wrote:
Realistically, every OS has always had a local exploit for its entire history.
Same about remote exploits... This does not change the fact that you have a chance to be lucky if you maintain your local security (i.e. don't have 50+ suids from default distribution, properly configure temporary storage and permissions, keep setuid software up-to-date, etc). Of course, it takes much more experience and knowledge, and most vendors are doing their best not to make your life simplier, but it isn't impossible. Better privilege control would be better, at least in theory. In practice, of course, I would expect many vendors to ship things with maximum privileges set just to save some time - just as we have some root daemons and setuid root applications shipping with no good reason, a separate account and setgid would do.
Why not just run every process as root and get rid of all the other pesky conventions?
Including mail clients or web browsers, and other software that really has to bind low ports, write to /etc and do other things like that?;>
The more you get into ACLs, the more you move to an NT-style "everything is complicated" permissions system. This increases complexity and demonstrably decreases overall security (how many services don't run as SYSTEM these days? Any?).
Static ACLs are generally as flawed as uid 0 access control, because such solutions force programmers to use very careful and highly modular design - which is pretty much like telling them to code in safer programming languages. Otherwise, any reasonably big monolithic application has to access so many things it is not that different from giving it root privileges. But it is not impossible to design a good ACL (perhaps dynamic) system. And there are some automated ACL systems that can actually profile the application and automate the process, with only minor tweaking necessary. Of course, once again, vendors would most likely do their best to render this mechanism almost useless. -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- Re: Ports 0-1023?, (continued)
- Re: Ports 0-1023? Brian Hatch (Jul 04)
- Re: Ports 0-1023? Kent Crispin (Jul 04)
- Re: Ports 0-1023? David Schwartz (Jul 04)
- RE: Ports 0-1023? Amanda Jones (Jul 04)
- RE: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Dan Kaminsky (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Sebastian Krahmer (Jul 05)
- Re: Ports 0-1023? robbe (Jul 04)
- Re: Ports 0-1023? Dave Aitel (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? hicks (Jul 04)
- Re: Ports 0-1023? Juan M. Courcoul (Jul 04)
- Re: Ports 0-1023? Mark Ruth (Jul 04)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
- Re: Ports 0-1023? gminick (Jul 04)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
- Re: Ports 0-1023? gminick (Jul 05)
- Re: Ports 0-1023? George W. Capehart (Jul 05)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
- Re: Ports 0-1023? Brian Hatch (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
