From: Thomas Weber (x_at_4t2.com)
Date: Thu 01 Aug 2002 - 13:20:50 BST
On Thu, Aug 01, 2002 at 09:42:57AM +0200, klavs klavsen wrote:
> I have an idea about how vserver could/should be able to restrict what
> is allowed to listen on a certain port, in a certain vserver context.
> One should be able to define
> PORTS="'named'/53tcp+udp 'listener -Idbname'/1521tcp" which would only
> allow a process called named to listen on port 53tcp and udp, and a
> process matching 'listener -Idbname' to listen on port 1521tcp.
so i hack the box, install my backdoor, mv mybackdoor named, start named and
I can bind to port 53(tcp+udp).
doesn't sound like some reasonable idea to me, especially regarding all the
kernel hacks that'd be involved - and vserver administration would get
> Then one should be be able to define that no other process can bind any
> ports, by setting f.ex.
> the PORTS variable could be enhanced, to allow port-ranges (1023> and
> 1023><6000), checking for a certain UID/GID and even checking that the
> process executable has the right SHA-1 hash value.
ok, this would block renaming of the process. but consider a box with lots
of vservers on it. everytime one of the vserver admins decides to upgrade
it's software, he has to coordinate with the main vserver admin to change
> These measures would greatly enhance the vserver security, as a hacker
> who got hold of root in your vserver would not be able to install a
> common root kit for instance.
if you don't want anything (except for the specified process / port
combinations) in the vserver to use some 'random' port for outgoing traffic,
just set up some firewalling rules in the main server.
if you want users/root to bind to some unspecified ports for outgoing traffic,
it's a piece of cake to tune the rootkit to use these ports.
> As I don't know of any programs which bind ports too often, I don't
> think there should be a performance problem.
but it would bloat the kernel and i don't see much gain from it. There other
ways to achieve almost the same.
just my 2 cents ;-)