HCSW Technical Blog
by
|
Viewing entries 7 through 7.
Most Recent Blog Entries
RSS Feed
| 7. What's so special about 1 through 1023? |
| Unix requires a process to have root privileges before it is allowed to bind() to ports 1 through 1023 inclusive. However, everybody knows the introduction of personal computers, more accesible network connections, and a generally less trustable internet make counting on the source or destination ports of a remote system foolish. What's worse, many programs are unnecessarily run with root privileges, at least initially, simply because they need to bind to a low port. In light of this, Unix should do away with this restriction and everybody will be better off. Right? Let's think about this for a second. The hackers that have evolved unix for decades are neither incompetent nor naive - if there was no practical use for such a restriction it probably would have been phased out long ago. Not suprisingly, the port restriction has always existed to prevent a different type of attack: Let's say Jimmy has an account on a server so that he can do various unprivileged tasks. If Jimmy finds a way to crash a system server, or is able to login before the server starts, for instance, and is able to bind() his own process to the port the server uses then he's free to serve his own malicious content. To all outsiders, it could be made to look identical to the original service except for perhaps some sinister injection of data. The port restrictions prevent this and, in general, add one more layer of security to the local unix environment. Instead of complaining about this (sometimes annoying) restriction, one might want to expend some energy helping more granular port permissions become widely adopted. On the other hand, keeping it simple is also a respectably rational choice. |