BSD-style securelevel comes to Linux — again
Posted Sep 20, 2013 1:46 UTC (Fri) by
giraffedata (subscriber, #1954)
In reply to:
BSD-style securelevel comes to Linux — again by mm7323
Parent article:
BSD-style securelevel comes to Linux — again
The simplest example would be a server process that wished to bind to a low port (<1024) using CAP_NET_BIND_SERVICE. Once the bind() is done, the capability can be dropped, but the already obtained file descriptor for the socket stands and can still be used.
That's exactly what I object to and what I don't do on my system. Instead, a privileged program dedicated to binding sockets runs with CAP_NET_BIND_SERVICE and binds the socket, then execs the server program. The server program inherits the file descriptor, but no capabilities.
That way, I don't have to trust the server program to use CAP_NET_BIND_SERVICE properly, and drop it properly. I only have to trust the one binder program, which does the job for everyone and is very stable.
(And besides, I don't like having all that duplicate socket setup code in every server program - another good reason to have a separate program dedicated to that).
(
Log in to post comments)
