Aral Balkan

3 years ago

Aral Balkan
3 years ago

Dear Linux, Privileged Ports Must Die

ar.al/2022/08/30/dear-linux-pr…

Dear Linux, Privileged Ports Must Die

Privileged ports, toffs of the Linux world. Kitten is a small web server that runs as a user-level service and would never need elevated privileges if it wasn’t for one archaic anti-security feature in Linux that dates back to the mainframe era: pr…

^{Aral Balkan}

Aral Balkan reshared this.

in reply to Aral Balkan

ArneBab

in reply to Aral Balkan 3 years ago

my first thought was "uh, what?!"

But starting unprivileged at 80 sounds good.

I would not want unprivileged to start at 22, though: SSH must stay in the domain of root because it is how any other user can log in.

If it gives privilege, it should be a privileged port.

in reply to ArneBab

Aral Balkan

in reply to ArneBab 3 years ago

@ArneBab Yeah, I’m totally fine with that (and that’s probably going to be a sticking point for a lot of folks and isn’t the hill I wish to die on. More than happy with 80.)

@ArneBab

in reply to Aral Balkan

Lars Lehtonen

in reply to Aral Balkan 3 years ago

The first UNIX TCP/IP implementation was released in 1983.

in reply to Lars Lehtonen

@alrs Thanks, Lars, appreciate the fact checking (it was the one bit I couldn’t find a proper source for and, after your post, some more digging brought up the original implementation). I’ve updated the post accordingly; appreciate it :)

ar.al/2022/08/30/dear-linux-pr…

Dear Linux, Privileged Ports Must Die

Privileged ports, toffs of the Linux world. Kitten is a small web server that runs as a user-level service and would never need elevated privileges if it wasn’t for one archaic anti-security feature in Linux that dates back to the mainframe era: pr…

^{Aral Balkan}

@Lars Lehtonen

Unknown parent

Aral Balkan

Unknown parent 3 years ago

@shortwavesurfer2009 That (badly-named setting) works for both 🤷‍♂️

Unknown parent

Aral Balkan

Unknown parent 3 years ago

@mxm Yeah, that’s what led me to using sysctl in the first place :) source.small-tech.org/site.js/…

Disable privileged ports security theatre on Linux instead of using setcap (#169) · Issues · Site.js / app

Summary Currently, we’re using setcap to grant the CAP_NET_BIND_SERVICE privilege to allow Node.js (during development and testing) and the Site.js binary...

^GitLab

Unknown parent

Aral Balkan

Unknown parent 3 years ago

@shortwavesurfer2009 👍

in reply to Aral Balkan

BrightSide

in reply to Aral Balkan 3 years ago

You can do this for specific executables using "setcap 'cap_net_bind_service=+ep' /path/to/program"

Or (not to get tangled in another discussion about this) but if you launch with a systemd service you can put AmbientCapabilities=CAP_NET_BIND_SERVICE in your [Service] section

in reply to BrightSide

Aral Balkan

in reply to BrightSide 3 years ago

@brightside Yeah, I know :)

source.small-tech.org/site.js/…

Disable privileged ports security theatre on Linux instead of using setcap (#169) · Issues · Site.js / app

Summary Currently, we’re using setcap to grant the CAP_NET_BIND_SERVICE privilege to allow Node.js (during development and testing) and the Site.js binary...

^GitLab

@brightside