LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

LCE: The failure of operating systems and how we can fix it

LCE: The failure of operating systems and how we can fix it

Posted Nov 24, 2012 18:59 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)
In reply to: LCE: The failure of operating systems and how we can fix it by dlang
Parent article: LCE: The failure of operating systems and how we can fix it

> you can make it so that a normal user can bind to port 80, you can also setup iptables rules so that packets only flow on port 80 (or port 80 at a specific IP address) to and from processes running as a particular user.
>it's not as trivial as a chown, but it's possible.
How? So far I have tried:
1) Iptables - simply DoesNotWork(tm), particularly for localhost.
2) Redirectors - PITA to setup and often no IPv6 support.
3) Capabilities - no way to make it work with Python scripts or Java apps.

For now I'm using nginx as a full-scale HTTP proxy.

That restriction for <1024 ports is by far the most moronic stupid imbecilic UNIX feature ever invented.

(Log in to post comments)

LCE: The failure of operating systems and how we can fix it

Posted Nov 24, 2012 19:09 UTC (Sat) by bronson (subscriber, #4806) [Link]

It made sense in the 80s and 90s where the typical Unix host was serving tens to thousands of people and root tended to be trustworthy. No sysadmin wants his users competing to be the first to bind to port 79.

It's true that those days are long gone and it's time for this restriction to disappear.

LCE: The failure of operating systems and how we can fix it

Posted Nov 24, 2012 19:13 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]

I don't have the time to look it up right now, but I remember seeing a /proc entry that removed the <1024 limit.

I agree that in the modern Internet, that really doesn't make sense, but going back, you had trusted admins (not just of your local box, but of the other boxes you were talking to), and in that environment it worked.

so think naive not moronic

remember, these are the same people who think that firewalls are evil because they break the unlimited end-to-end connectivity of the Internet. :-)

LCE: The failure of operating systems and how we can fix it

Posted Nov 24, 2012 19:21 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

>I don't have the time to look it up right now, but I remember seeing a /proc entry that removed the <1024 limit.
There is no such record (I naively thought so too). You can check the Linux source.

>I agree that in the modern Internet, that really doesn't make sense, but going back, you had trusted admins (not just of your local box, but of the other boxes you were talking to), and in that environment it worked.
A good mechanism would haven been to allow users access to a range of ports. Something simple like /etc/porttab with list of port ranges and associated groups would suffice.

>remember, these are the same people who think that firewalls are evil because they break the unlimited end-to-end connectivity of the Internet. :-)
I happen to think the same. Security should not be done on network's border, instead all the systems should be secured by local firewalls.

LCE: The failure of operating systems and how we can fix it

Posted Nov 24, 2012 19:26 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]

>> I don't have the time to look it up right now, but I remember seeing a /proc entry that removed the <1024 limit.

> There is no such record (I naively thought so too). You can check the Linux source.

Ok, I thought I remembered seeing it at some point in the past, I may have mixed it up with the ability to bind to IP addresses that aren't on the box <shrug>

I wonder how quickly someone could whip up a patch to add this ;-)

seriously, has this been discussed and rejected, or has nobody bothered to try and submit something like this?

LCE: The failure of operating systems and how we can fix it

Posted Nov 24, 2012 19:58 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

Yes, I remember that such patch was proposed way back then and rejected. And now it will be further complicated by cgroups/namespaces/whatever.

LCE: The failure of operating systems and how we can fix it

Posted Jan 10, 2013 12:03 UTC (Thu) by dps (subscriber, #5725) [Link]

Putting my system admin hat on I want both border *and* host security. There is a lot that makes sense to block at borders because outsiders have no business using them. Servers on the safe side of firewalls often have to have more services configured and are therefore less secure.

If both a border firewall blocks some attack traffic then a security bug on an internal system is not immediately fatal and there is time to fix it before the border firewall's security is breached. If that has not happened that implies nobody worthwhile has tried or you can't detect security breaches.

In an ideal world there would be no need for security because nobody would even think of doing a bad dead. The world has never been that way.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds