MOO-cows Mailing List Archive
Re: Fun with FUP and root.
> I've got a solution that'd allow you to not ever need root
> perms in the MOO server and still get low port numbers. How
> about a simple program that runs outside the MOO with root
> perms that simple routes from 80 to say 8000 or something
> usable by the MOO. Make the router invisible to both sides
> and I think it'd work with a minimal of performance loss, and
> a LOT less security loss.
If you're running a recent Linux kernel, you can use the IP
firewalling tools to play games with port numbers---for example, route
all TCP connections from port 80 to port 1180. Other firewalls may be
able to do this as well.
A pure Unix solution that I'd feel better about is to write a little
program called moo-ports, invoked something like this:
moo-ports --uid moo-srv --ports "25 80 119" --exec ./moo
which would bind ports 25, 80, and 119, set some environment variable
to indicate which file descriptors went with which ports, throw away
privs and exec the ./moo server. When it was time for the server to
listen() on port 25, it'd notice that it already had a file descriptor
ready for that and just use it.
This keeps the code running with root perms to a minimum, and
gets rid of suid anything.
Jay Carlson email@example.com firstname.lastname@example.org
Flat text is just *never* what you want. ---stephen p spackman
Subject Index |