[Nut-upsdev] Re: [nut-commits] svn commit r731

Henning Brauer hb-nut at bsws.de
Tue Jan 23 20:39:28 CET 2007 

* Peter Selinger <selinger at mathstat.dal.ca> [2007-01-23 17:51]:
> Arjen de Korte wrote:
> > 
> > >> > root's socket ownership can have more consequences. don't do that.
> > >> Root doesn't own the socket, since we drop privileges before
> > >> backgrounding, just a short while later.
> > > root DOES own the socket, because it gets opened by root. that is
> > > recorded and does not change by the daemon dropping privileges.
> > 
> > Oops! Point taken, this *has* to go (I didn't realize that).
> > 
> > Fortunately, the trouble with STATEPATH requires rewriting the load_conf()
> > function anyway, so this takes no additional effort. People wanting to use
> > privileged ports (for whatever reason there may be) will have to run the
> > server as root then and accept the consequences.
> 
> I don't think this is a good idea. If this is indeed determined to be
> a security problem (I still fail to see why exactly), then there
> should still be an option, for those who need it, of opening a
> privileged port and then dropping root. That is definitely safer than
> opening a privileged port and then continuing to run a potentially
> messy application as root. 

how the owner of sockets affects things is operating system dependent. 
as I mentioned before, it is definately possible to have packet filters 
based on socket ownersip in place; socket buffer allocation rules 
(especilly under memory pressure) can be different, there's certainly 
more.

why do you want to support this in the first place? There is a risk 
(are you 100% certain the pre-privdrop codepath is bugfree? that's why 
you keep the lines of code running as root as low as possible...). I 
cannot imagine anyone running nut ona privileged port - and if anybody 
should, it's ... just plain wrong and still debatable wether nut should 
support its users doing stupid things.

why don't you do it the other way round; open the listening sockets 
after dropping privileges (and thus lose privileged ports, but you're 
on the safe side), and if really anybody cries later because he is 
using a low port and discovers that doesn't work any more, reconsider 
adding the button.

-- 
Henning Brauer, hb at bsws.de, henning at openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

More information about the Nut-upsdev mailing list