From: Thomas Weber (x_at_4t2.com)
Date: Thu 01 Aug 2002 - 13:20:50 BST
On Thu, Aug 01, 2002 at 09:42:57AM +0200, klavs klavsen wrote:
> I have an idea about how vserver could/should be able to restrict what
> is allowed to listen on a certain port, in a certain vserver context.
>
> One should be able to define
>
> PORTS="'named'/53tcp+udp 'listener -Idbname'/1521tcp" which would only
> allow a process called named to listen on port 53tcp and udp, and a
> process matching 'listener -Idbname' to listen on port 1521tcp.
so i hack the box, install my backdoor, mv mybackdoor named, start named and
I can bind to port 53(tcp+udp).
doesn't sound like some reasonable idea to me, especially regarding all the
kernel hacks that'd be involved - and vserver administration would get
unecessary complicated.
> Then one should be be able to define that no other process can bind any
> ports, by setting f.ex.
> ALLOWOTHERPORTS=no
>
> the PORTS variable could be enhanced, to allow port-ranges (1023> and
> 1023><6000), checking for a certain UID/GID and even checking that the
> process executable has the right SHA-1 hash value.
ok, this would block renaming of the process. but consider a box with lots
of vservers on it. everytime one of the vserver admins decides to upgrade
it's software, he has to coordinate with the main vserver admin to change
the configuration.
> These measures would greatly enhance the vserver security, as a hacker
> who got hold of root in your vserver would not be able to install a
> common root kit for instance.
if you don't want anything (except for the specified process / port
combinations) in the vserver to use some 'random' port for outgoing traffic,
just set up some firewalling rules in the main server.
if you want users/root to bind to some unspecified ports for outgoing traffic,
it's a piece of cake to tune the rootkit to use these ports.
> As I don't know of any programs which bind ports too often, I don't
> think there should be a performance problem.
but it would bloat the kernel and i don't see much gain from it. There other
ways to achieve almost the same.
just my 2 cents ;-)
Tom