Skip to main content

Linux really needs to remove the “privileged ports” security theater bullshit.

We’re no longer living in the mainframe era. The security properties of the Internet are different to mainframes. This is actually an anti-feature that either complicates life or actually compromises security (when folks run servers as root and forget to drop privileges , etc.).

If anyone has any sway within the kernel team, etc., please do your thing.

https://source.small-tech.org/site.js/app/-/issues/169

#linux #security #theatre #networking

Disable privileged ports security theatre on Linux instead of using setcap (#169) · Issues · Site.js / app

Summary Currently, we’re using setcap to grant the CAP_NET_BIND_SERVICE privilege to allow Node.js (during development and testing) and the Site.js binary...
GitLab
#linux #security #théâtre #networking
in reply to Aral Balkan

Aral Balkan
Aral Balkan
Bloody autocorrect got me with the American spelling of the word in the end. I knew it would one day :)
in reply to Aral Balkan

Simone Silvestroni (M2M)
Simone Silvestroni (M2M)
after Brexit, Johnson's win at the GE and all the shenanigans that followed pushed me to leave the UK, I made a point of using the American spelling everywhere I can.

I know it sounds silly, but imagine if I go back to the UK and keep doing it :D
in reply to Aral Balkan

Gert V 🇵🇸
Gert V 🇵🇸
Perhaps it is not about mainframes, but multi-user systems? Sudo (and its group) is supposed to make life easier on multi-user systems..
in reply to Aral Balkan

Stefan Midjich ꙮ҄
Stefan Midjich ꙮ҄
how is it theatre? For example when I have to expose ssh to the internet I usually use port 2022 because at least that's one more layer of security, in case someone gets user access to the system and are able to crash the ssh service they can't start their own service that harvests passwords because it was on a privileged port.
in reply to Stefan Midjich ꙮ҄

Aral Balkan
Aral Balkan
@stemid Please see the linked page (and the articles linked to that) :)
@Stefan Midjich ꙮ҄
in reply to Aral Balkan

Stefan Midjich ꙮ҄
Stefan Midjich ꙮ҄
ok I read the post but all I can say is that I deploy services of all sorts of languages and frameworks for a living and I never have to give them any higher privileges. Because in production there is always a proxy in front of the service, and in dev they can use nonstandard ports.

So I still see no reason to allow services to use privileged ports in my view. But we all have different perspectives.
in reply to Stefan Midjich ꙮ҄

Aral Balkan
Aral Balkan
@stemid This is my use case: https://ar.al/2020/08/07/what-is-the-small-web/

We need to set up your own Facebook on your own server in under a minute with no technical knowledge required on your part. And democratise development while we’re at it as much as possible. So no front controller/proxy, etc., setups. Think lightweight server with in-process database.

But, beyond use cases, again, it provides no real security unless you’re administering a System/360.

What is the Small Web?

Today, I want to introduce you to a concept – and a vision for the future of our species in the digital and networked age – that I’ve spoken about for a while but never specifically written about: The Small Web.
Aral Balkan
@Stefan Midjich ꙮ҄
in reply to Aral Balkan

paillp
paillp
@stemid I mean, there's just plenty of solutions. From what I read in your article you have found one through modifying a kernel parameter. Which means that the mechanism is implemented. It's just not enabled by default.

I see lots of workarounds to your problem and Linux in itself doesn't prevent one from achieving the behavior you're looking for.
@Stefan Midjich ꙮ҄
in reply to paillp

Aral Balkan
Aral Balkan
@paillp @stemid Yes and those workarounds complicate workflows and create usability issues.
@Stefan Midjich ꙮ҄ @paillp
in reply to Aral Balkan

paillp
paillp
This is just about cap config

`sudo setcap 'cap_net_bind_service=+ep' /usr/bin/nc`
in reply to paillp

Aral Balkan
Aral Balkan
@paillp Please see the linked page (and the articles linked to that) :)
@paillp
in reply to Aral Balkan

Carlos Mogas da Silva
Carlos Mogas da Silva
stopped reading the article after "And this does not work if the daemon is written in Java, which is quite popular for web servers."
in reply to Aral Balkan

demvw
demvw
Wanted to say: Just edit the net.ipv4.ip_unprivileged_port_start, until I read the article 😜
in reply to demvw

Aral Balkan
Aral Balkan
@demvw Just = the only reason you need sudo during an installation process. These things have usability ramifications.
@demvw
in reply to Aral Balkan

yin yang yoink
yin yang yoink
or you could just run a reverse proxy
in reply to yin yang yoink

Aral Balkan
Aral Balkan
@oreolek I’m trying to simplify things, not complicate them :)

https://ar.al/2020/08/07/what-is-the-small-web/

What is the Small Web?

Today, I want to introduce you to a concept – and a vision for the future of our species in the digital and networked age – that I’ve spoken about for a while but never specifically written about: The Small Web.
Aral Balkan
@yin yang yoink
in reply to Aral Balkan

Cyberspice
Cyberspice
Desktop linux. We use it heavily in embedded devices!
in reply to Aral Balkan

maswan
maswan
It isn't security theatre in our case, where we have thousands of shell users and the user/root boundary is the most essential security feature.
in reply to maswan

Aral Balkan
Aral Balkan
@maswan That’s cool but it’s also an edge case today. So having that as a feature you can turn on, versus one that nearly everyone else has to turn off (or work around) would make much more sense.
@maswan
in reply to Aral Balkan

maswan
maswan
Maybe, but I'm not convinced from your links that it is such an odd edge case even among places that just runs a handful of services per VM in regards to horizontal traversal.