Quote:
Originally posted by LennonCook:
quote:
If you can explain why any software that is going to bind to a port 1-1024 needs to be started as root then I might start to belive in some of the mythical security that Linux has.
|
If that were true, you would need to start a web browser as root since they bind to port 80. FTP clients, mail clients, GAIM and its kin. They all connect to ports, inbound and outbound, and yet they can be started by anyone who can access the executable. I run aMSN, Thunderbird, Firefox, xChat, ncFTP, and GAIM regularly as me. Check your facts.
[/QUOTE]Actualy, Seraph is right about this. You need root priviledges to bind to a port <1024. Run a ps -A with apache running and you should see the parent process is running as root, with a bunch of non-root children (assuming you actualy had some traffic other than your own testing, which you dont). Which neatly explains why this isn't a problem with apache - the processes doing all the work don't have root priviledge. Other programs get round this by dropping root priviledge after binding to the port.
I would have reservations about running anything that kept root priviledges on a process which was listening to a port, since an author that didnt think to work around that probably didn't secure the rest of it properly. But, this is it. Its up to the author to write a secure program, and the admin to choose a secure program. Linux dosent generaly make mistakes for you, and it won't do things like exposing file and print sharing to the internet by default. Or running a messenger service on every machine by default regardless of whether its needed. Or basing a large portion of its local infrastructure on a protocol intended for remote execution of code.