On Tue, Nov 28, 2006 at 11:39:02AM +0200, Shachar Shemesh wrote: > Gilad Ben-Yossef wrote: > > > Prepeare a small library that intercepts call to the libray socket() > > and bind() calls and if, according to the parameters, the socket/bind > > is for the low port socket, instead of calling the actuall bind/socket > > of the library, will simply return the apropriate saved file > > descriptor. For an example of how to do this see: > > http://www.codefidence.com/src/bindtodevice.c > The major flaw with this approach is that it will only work if you: > 1. Know, in advance, how many sockets the application opens. > and > 2. Can recognize the right socket at the time of the "socket" call. > > One can try and generalize this by not catching "socket" at all, only > catching "bind", and then doing "dup2" to rename the pre-bound socket to > the right fd. This still runs the risk that the application did ioctl of > one kind or another on the socket between "socket" and "bind", which > will now be lost (which my original approach, admittedly even crazier > than this one, solved by duping the actual application socket). > > To summarize the non kernel based solutions (i.e. - assuming neither > capabilities nor SELinux offer a solution): > 1. My solution - Trace (actually, LD_PRELOAD will probably be easier) > the application, set up a euid=0 runner that listens on a shared Unix > domain socket. When the application tries to "bind", pass the fd to the > listening program and let it do the binding. Downsides: it's crazy. It > requires a euid 0 program around for the entire duration of the daughter > program running (potential security risk through the socket). > 2. Didi's solution - authbind. It uses a SUID helper program and global > configuration files to check whether it's ok to bind the port. > Downsides: ANOTHER SUID program on the system. The security person in me > cringes the the way the permissions are synchronized with the program > running. > 3. Gilad's solution - trace the relevant calls, connect the received > socket to a pre-bound socket. The only solution where no root programs > are run during the program's execution. Downside: need to be able to > predict what the program will be doing.
4. Ilya's solution - use iptables to redirect to an unprivileged port. -- Didi ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
