Email or username:

Password:

Forgot your password?
Aral Balkan

Linux really needs to remove the “privileged ports” security theater bullshit.

We’re no longer living in the mainframe era. The security properties of the Internet are different to mainframes. This is actually an anti-feature that either complicates life or actually compromises security (when folks run servers as root and forget to drop privileges , etc.).

If anyone has any sway within the kernel team, etc., please do your thing.

source.small-tech.org/site.js/

#linux #security #theatre #networking

20 comments
Aral Balkan

Bloody autocorrect got me with the American spelling of the word in the end. I knew it would one day :)

  Simone Silvestroni (M2M)

@aral after Brexit, Johnson's win at the GE and all the shenanigans that followed pushed me to leave the UK, I made a point of using the American spelling everywhere I can.

I know it sounds silly, but imagine if I go back to the UK and keep doing it :D

Gert V

@aral Perhaps it is not about mainframes, but multi-user systems? Sudo (and its group) is supposed to make life easier on multi-user systems..

Stefan Midjich ꙮ҄

@aral how is it theatre? For example when I have to expose ssh to the internet I usually use port 2022 because at least that's one more layer of security, in case someone gets user access to the system and are able to crash the ssh service they can't start their own service that harvests passwords because it was on a privileged port.

  Aral Balkan

@stemid Please see the linked page (and the articles linked to that) :)

  paillp

@aral @stemid I mean, there's just plenty of solutions. From what I read in your article you have found one through modifying a kernel parameter. Which means that the mechanism is implemented. It's just not enabled by default.

I see lots of workarounds to your problem and Linux in itself doesn't prevent one from achieving the behavior you're looking for.

  Aral Balkan

@paillp @stemid Yes and those workarounds complicate workflows and create usability issues.

  Stefan Midjich ꙮ҄

@aral ok I read the post but all I can say is that I deploy services of all sorts of languages and frameworks for a living and I never have to give them any higher privileges. Because in production there is always a proxy in front of the service, and in dev they can use nonstandard ports.

So I still see no reason to allow services to use privileged ports in my view. But we all have different perspectives.

  Aral Balkan

@stemid This is my use case: ar.al/2020/08/07/what-is-the-s

We need to set up your own Facebook on your own server in under a minute with no technical knowledge required on your part. And democratise development while we’re at it as much as possible. So no front controller/proxy, etc., setups. Think lightweight server with in-process database.

But, beyond use cases, again, it provides no real security unless you’re administering a System/360.

  hkc (Carbonated)

@stemid "oh no, someone already got access to our system and starts collecting its data, I'm sure it's not too late to stop everything!"

  Stefan Midjich ꙮ҄

@hatkidchan it's absolutely not too late. System access does not mean access to sensitive data. That is precisely why Linux has things like multiple users accounts, file permissions, promiscuous mode networking, and of course more advanced MAC systems like selinux. So no the battle is absolutely not lost just because someone has access to a system.

paillp

@aral This is just about cap config

`sudo setcap 'cap_net_bind_service=+ep' /usr/bin/nc`

  Aral Balkan

@paillp Please see the linked page (and the articles linked to that) :)

Carlos Mogas da Silva

@aral stopped reading the article after "And this does not work if the daemon is written in Java, which is quite popular for web servers."

demvw

@aral Wanted to say: Just edit the net.ipv4.ip_unprivileged_port_start, until I read the article 😜

  Aral Balkan

@demvw Just = the only reason you need sudo during an installation process. These things have usability ramifications.

Oreolek

@aral or you could just run a reverse proxy

Cyberspice

@aral Desktop linux. We use it heavily in embedded devices!

  Cyberspice

@aral I did read the articles. In embedded we also use selinux to lock everything down even more.

Go Up