System Security (was: Re: [MUD-Dev] players who "take away from the game")

[Bruce]

On November 11, 1999, J C Lawrence wrote:
>On Wed, 10 Nov 1999 22:00:11 -0700
>cg  <cg at ami-cg.GraySage.Edmonton.AB.CA> wrote:
>> Aha! A technical issue! :-)
>
><<Oops>>


Yay!

>If you bind to a port less than 1024 on a Unix system your server
>must run as root.  Ergo, if there is a stack overflow ir similar
>exploit in your server, an arbitrary user can obtain root access on
>your system.
>
>There are a couple simple ways to protect against this:
>
>  -- setuid() away from root for all portions of the code that don't
>deal with the sokcet calls.  You should do this sort of
>setuid()/setgid() protection in any privileged code your write
>anyway.  Always.  This leaves the exploint window inthe soket code
>only, not your entire app/server.
>
>  -- Use a helper program which runs as root to do the privileged
>socket IO which then communicates to the server which runs as a
>non-priviledged user via some other stack.


One other option, used by Genesis (the Cold driver) at the least (I'd assume
it is used by other stuff as well), is to pre-bind various privileged ports
during the startup of the server and then setuid() away from root for the
rest of the execution time of the server.  When you attempt to bind a
socket, it first checks to see if it is in the list of prebound sockets and
if so, uses it from there.

There are some flaws in the Genesis implementation, but it largely works.
I'll probably look at borrowing the same approach for whatever server
architecture I end up moving to (I no longer use Cold.).

 - Bruce





_______________________________________________
MUD-Dev maillist  -  MUD-Dev at kanga.nu
http://www.kanga.nu/lists/listinfo/mud-dev