Re: Capabilities

Peter Benie (pjb1008@cam.ac.uk)
Thu, 10 Feb 2000 16:48:39 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jeff V. Merkey: "Re: NetWare Volume IMAGER 1.0 Released/NWFS 2.0.1 Released"
Previous message: Jeff Garzik: "Re: Make clean impossible in 2.3.42"

Matthew Kirkwood writes ("Re: Capabilities"):
> > Capabilities don't solve the inability to change which port is bound
> > since cap_net_bind_service is equivalent to root on most machines.
>
> Please explain? If bind has only CNBS and runs as user "named",
> then there is no root equivalence that I can see.

If you can bind to low numbered ports, you can fake credentials for
rsh or rlogin. From there, you can get to root on many machines
without much difficulty. Even if you can't get root, CNBS is still
sufficiently powerful that I wouldn't want bind to keep running with
that capability.

Peter

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff V. Merkey: "Re: NetWare Volume IMAGER 1.0 Released/NWFS 2.0.1 Released"
Previous message: Jeff Garzik: "Re: Make clean impossible in 2.3.42"