Re: Fun with FUP and root.

• Date: Wed, 26 Feb 1997 21:48:51 PST
• From:
  Jay Carlson <nop@nop.com>
• cc: Moo-Cows Mailing List <moo-cows@parc.xerox.com>
• In-reply-to: Your message of "Wed, 26 Feb 97 17:18:38 PST." <3314E0EE.7E6A@ipass.net>

> I've got a solution that'd allow you to not ever need root
> perms in the MOO server and still get low port numbers.  How
> about a simple program that runs outside the MOO with root
> perms that simple routes from 80 to say 8000 or something
> usable by the MOO.  Make the router invisible to both sides
> and I think it'd work with a minimal of performance loss, and
> a LOT less security loss.

If you're running a recent Linux kernel, you can use the IP
firewalling tools to play games with port numbers---for example, route
all TCP connections from port 80 to port 1180.  Other firewalls may be
able to do this as well.

A pure Unix solution that I'd feel better about is to write a little
program called moo-ports, invoked something like this:

  moo-ports --uid moo-srv --ports "25 80 119" --exec ./moo

which would bind ports 25, 80, and 119, set some environment variable
to indicate which file descriptors went with which ports, throw away
privs and exec the ./moo server.  When it was time for the server to
listen() on port 25, it'd notice that it already had a file descriptor
ready for that and just use it.

This keeps the code running with root perms to a minimum, and
gets rid of suid anything.
-- 
Jay Carlson    nop@nop.com    nop@kagoona.mitre.org

Flat text is just *never* what you want.   ---stephen p spackman

• Re: Fun with FUP and root.
• From: Mike Thompson <shadowr@ipass.net>

• Prev: Re: Fun with FUP and root.
• Next: Re: Fun with FUP and root.
• Index: MOO-cows
• Thread: MOO-cows