Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: root owner of daemons?
Special Forums Cybersecurity root owner of daemons? Post 17226 by PxT on Tuesday 12th of March 2002 11:28:57 AM
Old 03-12-2002
One of the dangers of running a daemon as root is that if a malicious user can cause the daemon to crash, it is possible to execute arbitrary code with the privileges of the user that runs the daemon. In the case of root this means there is a possibility of having complete control of the system. Many root-kits incorporate a compromise of a daemon that is used to install a root-backdoor which the attacker can then use to log in and gain a full system-level shell account.

If you run your daemon as a normal user, the attacker is limited by the permissions of that user. Run as nobody to give the least possible permissions. If you must have root to bind to ports less than 1024, drop privileges as soon as possible.
 

10 More Discussions You Might Find Interesting

1. IP Networking

DNS daemons

Does anyone know the command to start the DNS Daemon. I looked in the /etc/init.d/inetsvc file and it tells me what the text should look like. When I go to open the corresponding files they are encoded and I can't read them. So is there a command that will start the DNS daemon? If... (8 Replies)
Discussion started by: Deuce
8 Replies

2. UNIX for Dummies Questions & Answers

Daemons

MYSQL-daemon don't started automatically by system-start. And same trouble with httpd too. I have SuSE 8.0. What can I do ? Thanks.... (6 Replies)
Discussion started by: Pennywize
6 Replies

3. Linux

A doubt on Daemons

Hi there! I'm a bit curious on something about Daemons.... Supose you have two processes say A and B, where B is a daemon. A is totally independent from B. Is there a way for A to find out B's return code? Is there a way for A to find out when B ends? Thanks! (4 Replies)
Discussion started by: marioh
4 Replies

4. Solaris

Owner of file gets 'not owner' error for chgrp

Hi Folks, I know that changing users and groups is pretty basic admin, but this one has got me stumped. When I try to change the group of a file for which I am the owner for, it still gives me a 'Not owner' error. For example, when I am logged in as 'webadmin', I have the following file: ... (4 Replies)
Discussion started by: brizrobbo
4 Replies

5. UNIX for Advanced & Expert Users

How UNIX admin set up this? how files of 744 of other owner can be removed by another owner?

Hi all, We have some files are under 744 permissions and the the owner is say owner1 and group1. Now we have another user owner2 of group2, owner2 can remove files of the owner1 and the permission of those files are 744, unix admin told us he did some config at his side so we can do that. ... (14 Replies)
Discussion started by: TheGunMan
14 Replies

6. UNIX for Dummies Questions & Answers

How to display only Owner and directory/sub directory names under particular root

hai, I am new to Unix, I have a requirement to display owner name , directory or sub directory name, who's owner name is not equal to "oasitqtc". (here "oasitqtc" is the owner of the directory or sub directory.) i have a command (below) which will display all folders and sub folders, but i... (6 Replies)
Discussion started by: gagan4599
6 Replies

7. AIX

Unix root directory owner wrong AIX 5.3

The a chown was done and instead of using ./ a / was used and root ownership files got changed. I need to change the ownership of the files/directory back - backups are not working and I am concerned a reboot will not be successful. Can anyone provide the ownership of these files/directories... (6 Replies)
Discussion started by: spike1
6 Replies

8. UNIX for Dummies Questions & Answers

Creating a file where the owner and group is not root

Hi, I'm the root user on my computer, but I'm writing a script that does a lot of file handling. Every time I create a file or directory it automatically requires root privileges. Is there a way I can just create a file that the user can access without a password? For example in my script I... (20 Replies)
Discussion started by: jdilts
20 Replies

9. Solaris

Privileges : modify dir/file owner by other that's not owner

i need to do the following operations in solaris 10: 1.change owner and group owner for files which are not owned by the current user and user group 2.to can delete files in the /tmp directory which are not of the current user 3. allow to a standard user the deletion of files in the /tmp... (1 Reply)
Discussion started by: sirmark
1 Replies

10. UNIX for Beginners Questions & Answers

UNIX command to display Owner,Group,Root and Subdirectories list

Hi Team, Am a newbie to Unix. As I would like to see the Server Name,Owner Name ( not numeric form), Group Name ( not numeric ID), ROOT path. I would like to send this list as an attachment to my personal mail. Can any one please help me out to to resolve this . Here is the sample result... (6 Replies)
Discussion started by: vasuvv
6 Replies

LEARN ABOUT REDHAT

spawn

SPAWN(8)						      System Manager's Manual							  SPAWN(8)

NAME

       spawn - Postfix external command spawner

SYNOPSIS

       spawn [generic Postfix daemon options] command_attributes...

DESCRIPTION

       The  spawn  daemon provides the Postfix equivalent of inetd.  It listens on a port as specified in the Postfix master.cf file and spawns an
       external command whenever a connection is established.  The connection can be made over local IPC (such as  UNIX-domain	sockets)  or  over
       non-local  IPC  (such  as TCP sockets).	The command's standard input, output and error streams are connected directly to the communication
       endpoint.

       This daemon expects to be run from the master(8) process manager.

COMMAND ATTRIBUTE SYNTAX

       The external command attributes are given in the master.cf file at the end of a service definition.  The syntax is as follows:

       user=username (required)

       user=username:groupname
	      The external command is executed with the rights of the specified username.  The software refuses  to  execute  commands	with  root
	      privileges,  or  with the privileges of the mail system owner. If groupname is specified, the corresponding group ID is used instead
	      of the group ID of of username.

       argv=command... (required)
	      The command to be executed. This must be specified as the last command attribute.  The command is executed  directly,  i.e.  without
	      interpretation of shell meta characters by a shell command interpreter.

BUGS

       In  order  to  enforce  standard Postfix process resource controls, the spawn daemon runs only one external command at a time.  As such, it
       presents a noticeable overhead by wasting precious process resources. The spawn daemon is expected to be  replaced  by  a  more	structural
       solution.

DIAGNOSTICS

       The spawn daemon reports abnormal child exits.  Problems are logged to syslogd(8).

SECURITY

       This program needs root privilege in order to execute external commands as the specified user. It is therefore security sensitive.  However
       the spawn daemon does not talk to the external command and thus is not vulnerable to data-driven attacks.

CONFIGURATION PARAMETERS

       The following main.cf parameters are especially relevant to this program. See the Postfix main.cf file for syntax details and  for  default
       values. Use the postfix reload command after a configuration change.

Miscellaneous
       export_environment
	      List of names of environment parameters that can be exported to non-Postfix processes.

       mail_owner
	      The process privileges used while not running an external command.

Resource control
       service_command_time_limit
	      The  amount  of  time the command is allowed to run before it is killed with force. The service name is the name of the entry in the
	      master.cf file. The default time limit is given by the global command_time_limit configuration parameter.

SEE ALSO

       master(8) process manager
       syslogd(8) system logging

LICENSE

       The Secure Mailer license must be distributed with this software.

AUTHOR(S)
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA

																	  SPAWN(8)
All times are GMT -4. The time now is 03:59 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy