Aral Balkan

2 years ago

Aral Balkan
2 years ago

Linux really needs to remove the “privileged ports” security theater bullshit.

We’re no longer living in the mainframe era. The security properties of the Internet are different to mainframes. This is actually an anti-feature that either complicates life or actually compromises security (when folks run servers as root and forget to drop privileges , etc.).

If anyone has any sway within the kernel team, etc., please do your thing.

source.small-tech.org/site.js/…

#linux #security #theatre #networking

Disable privileged ports security theatre on Linux instead of using setcap (#169) · Issues · Site.js / app

Summary Currently, we’re using setcap to grant the CAP_NET_BIND_SERVICE privilege to allow Node.js (during development and testing) and the Site.js binary...

^GitLab

in reply to Aral Balkan

Aral Balkan

in reply to Aral Balkan 2 years ago

Bloody autocorrect got me with the American spelling of the word in the end. I knew it would one day :)

in reply to Aral Balkan

Simone Silvestroni (M2M)

in reply to Aral Balkan 2 years ago

after Brexit, Johnson's win at the GE and all the shenanigans that followed pushed me to leave the UK, I made a point of using the American spelling everywhere I can.

I know it sounds silly, but imagine if I go back to the UK and keep doing it :D

in reply to Aral Balkan

Gert V 🇵🇸

in reply to Aral Balkan 2 years ago

Perhaps it is not about mainframes, but multi-user systems? Sudo (and its group) is supposed to make life easier on multi-user systems..

in reply to Aral Balkan

Stefan Midjich ꙮ҄

in reply to Aral Balkan 2 years ago

how is it theatre? For example when I have to expose ssh to the internet I usually use port 2022 because at least that's one more layer of security, in case someone gets user access to the system and are able to crash the ssh service they can't start their own service that harvests passwords because it was on a privileged port.

in reply to Stefan Midjich ꙮ҄

Aral Balkan

in reply to Stefan Midjich ꙮ҄ 2 years ago

@stemid Please see the linked page (and the articles linked to that) :)

@Stefan Midjich ꙮ҄

in reply to Aral Balkan

Stefan Midjich ꙮ҄

in reply to Aral Balkan 2 years ago

ok I read the post but all I can say is that I deploy services of all sorts of languages and frameworks for a living and I never have to give them any higher privileges. Because in production there is always a proxy in front of the service, and in dev they can use nonstandard ports.

So I still see no reason to allow services to use privileged ports in my view. But we all have different perspectives.

in reply to Stefan Midjich ꙮ҄

Aral Balkan

in reply to Stefan Midjich ꙮ҄ 2 years ago

@stemid This is my use case: ar.al/2020/08/07/what-is-the-s…

We need to set up your own Facebook on your own server in under a minute with no technical knowledge required on your part. And democratise development while we’re at it as much as possible. So no front controller/proxy, etc., setups. Think lightweight server with in-process database.

But, beyond use cases, again, it provides no real security unless you’re administering a System/360.

What is the Small Web?

Today, I want to introduce you to a concept – and a vision for the future of our species in the digital and networked age – that I’ve spoken about for a while but never specifically written about: The Small Web.

^{Aral Balkan}

@Stefan Midjich ꙮ҄

in reply to Aral Balkan

paillp

in reply to Aral Balkan 2 years ago

@stemid I mean, there's just plenty of solutions. From what I read in your article you have found one through modifying a kernel parameter. Which means that the mechanism is implemented. It's just not enabled by default.

I see lots of workarounds to your problem and Linux in itself doesn't prevent one from achieving the behavior you're looking for.

@Stefan Midjich ꙮ҄

in reply to paillp

Aral Balkan

in reply to paillp 2 years ago

@paillp @stemid Yes and those workarounds complicate workflows and create usability issues.

@Stefan Midjich ꙮ҄ @paillp

in reply to Aral Balkan

paillp

in reply to Aral Balkan 2 years ago

This is just about cap config

`sudo setcap 'cap_net_bind_service=+ep' /usr/bin/nc`

in reply to paillp

Aral Balkan

in reply to paillp 2 years ago

@paillp Please see the linked page (and the articles linked to that) :)

@paillp

in reply to Aral Balkan

Carlos Mogas da Silva

in reply to Aral Balkan 2 years ago

stopped reading the article after "And this does not work if the daemon is written in Java, which is quite popular for web servers."

in reply to Aral Balkan

yin yang yoink

in reply to Aral Balkan 2 years ago

or you could just run a reverse proxy

in reply to yin yang yoink

Aral Balkan

in reply to yin yang yoink 2 years ago

@oreolek I’m trying to simplify things, not complicate them :)

ar.al/2020/08/07/what-is-the-s…

What is the Small Web?

Today, I want to introduce you to a concept – and a vision for the future of our species in the digital and networked age – that I’ve spoken about for a while but never specifically written about: The Small Web.

^{Aral Balkan}

@yin yang yoink

in reply to Aral Balkan

Cyberspice

in reply to Aral Balkan 2 years ago

Desktop linux. We use it heavily in embedded devices!

Unknown parent

Aral Balkan

Unknown parent 2 years ago

@demvw Just = the only reason you need sudo during an installation process. These things have usability ramifications.

in reply to Aral Balkan

maswan

in reply to Aral Balkan 2 years ago

It isn't security theatre in our case, where we have thousands of shell users and the user/root boundary is the most essential security feature.

in reply to maswan

Aral Balkan

in reply to maswan 2 years ago

@maswan That’s cool but it’s also an edge case today. So having that as a feature you can turn on, versus one that nearly everyone else has to turn off (or work around) would make much more sense.

@maswan

in reply to Aral Balkan

maswan

in reply to Aral Balkan 2 years ago

Maybe, but I'm not convinced from your links that it is such an odd edge case even among places that just runs a handful of services per VM in regards to horizontal traversal.

⇧

Aral Balkan 2 years ago • •

Aral Balkan
2 years ago