Non-root processes using registered ports
Billy Verreynne (JW)
VerreyB at telkom.co.za
Thu Mar 9 08:50:25 UTC 2006
Reinhard Tartler wrote:
> This is by design. Only root processes can bind to ports <1024. Most
> daemons which do so start as root, bind to that socket, and drop
> priviledges afterwards.
That is what I told the developers, but they're insistent on not
running as root. Guess they're treading carefully around <cough cough>
the Linux admin/support person.. :-)
> If you are really after security, it may be worth in looking into
> SELinux, (maybe AppArmour as well, but I havn't looked at that yet).
> Both are kernel patches though.
Thanks Reinhard. But I'm stuck with RHES as these are "certified"
platforms. Which is also why I'm hesitant in building a new kernel as
some of the ISV support and maintenance agreements are very specific
about the o/s side.
Pity though as there's a nice looking registered port ACL
implementation at http://killa.net/infosec/acls/.
--
Billy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail and its contents are subject to the Telkom SA Limited
e-mail legal notice available at
http://www.telkom.co.za/TelkomEMailLegalNotice.PDF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the ubuntu-users
mailing list