binding to privileged Linux ports (<= 1024)
binding to privileged Linux ports (<= 1024)
Hi, could someone please explain how I can get wine to fully mimic Windows behavior and let me bind to privileged Linux ports, most importantly 80 and 843? Thanks for any pointers.
-
Gert van den Berg
binding to privileged Linux ports (<= 1024)
---------- Forwarded message ----------
From: Gert van den Berg
On Sat, Feb 6, 2010 at 09:20, mc2718 <[email protected]> wrote:
Running as root is the easy, but dangerous way...
Gert
From: Gert van den Berg
On Sat, Feb 6, 2010 at 09:20, mc2718 <[email protected]> wrote:
POSIX Capabilities are the safe way....Hi, could someone please explain how I can get wine to fully mimic Windows behavior and let me bind to privileged Linux ports, most importantly 80 and 843? Thanks for any pointers.
Running as root is the easy, but dangerous way...
Gert
-
Gert van den Berg
binding to privileged Linux ports (<= 1024)
On Sat, Feb 6, 2010 at 09:20, mc2718 <[email protected]> wrote:
Running as root is the easy, but dangerous way...
Gert
POSIX Capabilities are the safe way....Hi, could someone please explain how I can get wine to fully mimic Windows behavior and let me bind to privileged Linux ports, most importantly 80 and 843? Thanks for any pointers.
Running as root is the easy, but dangerous way...
Gert
-
Martin Gregorie
binding to privileged Linux ports (<= 1024)
On Sat, 2010-02-06 at 01:20 -0600, mc2718 wrote:
To set the capability, see man 3 cap_set_fd
also look up socket(), bind(), listen()
Martin
See CAP_NET_BIND_SERVICE in man 7 capabilitiesHi, could someone please explain how I can get wine to fully mimic
Windows behavior and let me bind to privileged Linux ports, most
importantly 80 and 843? Thanks for any pointers.
To set the capability, see man 3 cap_set_fd
also look up socket(), bind(), listen()
Martin
mc2718 There are reasons CAP_NET_BIND_SERVICE is not default for normal users under Linux.
1) Lot of the 1024 and under ports are items that run for a very long time. So should be protected by running as independent users and preferable have a Linux Secuirty Module configured over them.
If you need to be going near root or capabilities it a warning sign.
843 is one of the big question marks to me. Seriously why. Only use of that I know of is this http://www.adobe.com/devnet/flashplayer ... files.html Its a native perl or python script. Normally you use the python. Now if something else is using that port there could be big trouble.
Even port 80 is question mark.
1) Lot of the 1024 and under ports are items that run for a very long time. So should be protected by running as independent users and preferable have a Linux Secuirty Module configured over them.
If you need to be going near root or capabilities it a warning sign.
843 is one of the big question marks to me. Seriously why. Only use of that I know of is this http://www.adobe.com/devnet/flashplayer ... files.html Its a native perl or python script. Normally you use the python. Now if something else is using that port there could be big trouble.
Even port 80 is question mark.
I have to have this functionality in order to take part in a Flash development project. The project environment is unfortunately not under my control - I need 843 for the Flash policy server and 80 for a local ONLY web server, so that I can run the tools and examples I need to build on. Life is life.
Do I set the capability on wine itself? Will the other windows goodies (exe files, etc) then inherit those?
Do I set the capability on wine itself? Will the other windows goodies (exe files, etc) then inherit those?
mc2718. The issue I have Flash policy server can be installed native running it inside wine will be costly on cpu time and ram with out any advantage.
The policyfile is the same no matter what the flash policy server is running on ie Linux or windows. It just returns information to flash client on what ports the client can or cannot talk so nothing OS related.
So there is zero justification for using wine to run a flash policy server. Instead follow the instructions install a native one.
Next question what type of http server. Is Apache fine if so again just use native. Apache does have configurations to be local only.
<Directory "/">
Order Deny,Allow
Allow from 127.0.0.1
Deny from All
</Directory>
That in the configuration for the apache site completely blocks anyone from accessing the site that is not on the current machine. On top of that you can enable linux firewall to block all access external to port 80. So 100 percent making sure no outside access will happen.
Big problem since you say local ONLY web server as if it is a requirement of project. Using wine to run the web server is 100 percent not recommend on secuirty reasons.
Wine has had to so games and other bad behaving pprograms work emulate some of the flaws in the windows networking stack. So anything running on top is not 100 percent secure and more likely to be a secuirty risk than using native.
People say to me all the time I am not in-control of the project. That is not the matter you are in-control of your own machine.
This is the problem you turn CAP_NET_BIND_SERVICE on wine too many thing also get access to that permission. Things you many not want having access to that permission.
Simple fact here mc2718 most web servers out there are on Linux or some other kind of Unix not windows. At some point you have to learn how to configure and build site files for apache and how to install flash policy server on linux.
All the flash examples I know have instructions from adobe how to set them up on apache on Linux or Unix anyhow.
Remember apache site file native linux can make any directory a web site including a directory inside wine C drive as long as it is given the path to where it is and Linux secuirty module don't block it and it has permission.
Another issue about running on port 80 inside wine is if some day you forget and install apache or any other Linux web server from package management it will take over port 80 cutting the web server running in wine out. Where the package management installed versions will warn you of possible problem if you try to install a different one from package management ie conflit.
Really stop trying to be lazy mc2718. You are risking paying huge prices for it.
The policyfile is the same no matter what the flash policy server is running on ie Linux or windows. It just returns information to flash client on what ports the client can or cannot talk so nothing OS related.
So there is zero justification for using wine to run a flash policy server. Instead follow the instructions install a native one.
Next question what type of http server. Is Apache fine if so again just use native. Apache does have configurations to be local only.
<Directory "/">
Order Deny,Allow
Allow from 127.0.0.1
Deny from All
</Directory>
That in the configuration for the apache site completely blocks anyone from accessing the site that is not on the current machine. On top of that you can enable linux firewall to block all access external to port 80. So 100 percent making sure no outside access will happen.
Big problem since you say local ONLY web server as if it is a requirement of project. Using wine to run the web server is 100 percent not recommend on secuirty reasons.
Wine has had to so games and other bad behaving pprograms work emulate some of the flaws in the windows networking stack. So anything running on top is not 100 percent secure and more likely to be a secuirty risk than using native.
People say to me all the time I am not in-control of the project. That is not the matter you are in-control of your own machine.
This is the problem you turn CAP_NET_BIND_SERVICE on wine too many thing also get access to that permission. Things you many not want having access to that permission.
Simple fact here mc2718 most web servers out there are on Linux or some other kind of Unix not windows. At some point you have to learn how to configure and build site files for apache and how to install flash policy server on linux.
All the flash examples I know have instructions from adobe how to set them up on apache on Linux or Unix anyhow.
Remember apache site file native linux can make any directory a web site including a directory inside wine C drive as long as it is given the path to where it is and Linux secuirty module don't block it and it has permission.
Another issue about running on port 80 inside wine is if some day you forget and install apache or any other Linux web server from package management it will take over port 80 cutting the web server running in wine out. Where the package management installed versions will warn you of possible problem if you try to install a different one from package management ie conflit.
Really stop trying to be lazy mc2718. You are risking paying huge prices for it.
-
Martin Gregorie
binding to privileged Linux ports (<= 1024)
On Sat, 2010-02-06 at 13:25 -0600, mc2718 wrote:
and then execs Wine with the execve() function Wine will inherit the
capabilities, but can only pass them to your process if it uses execve()
to launch Windows programs.
If none of the Wine devs[*] supply the answer you'd best look at its
source to see what it does and raise a bug if it doesn't use execve() to
launch Windows programs.
[*] disclaimer: I am not a wine dev and haven't seen its source. Since
Wine runs the apps I need I'm not planning to read its source anytime
soon.
Martin
If you write a Linux wrapper that sets the capabilities appropriatelyI have to have this functionality in order to take part in a Flash
development project. The project environment is unfortunately not
under my control - I need 843 for the Flash policy server and 80 for a
local ONLY web server, so that I can run the tools and examples I need
to build on. Life is life.
Do I set the capability on wine itself? Will the other windows goodies
(exe files, etc) then inherit those?
and then execs Wine with the execve() function Wine will inherit the
capabilities, but can only pass them to your process if it uses execve()
to launch Windows programs.
If none of the Wine devs[*] supply the answer you'd best look at its
source to see what it does and raise a bug if it doesn't use execve() to
launch Windows programs.
[*] disclaimer: I am not a wine dev and haven't seen its source. Since
Wine runs the apps I need I'm not planning to read its source anytime
soon.
Martin
I have done support for over 8 years on wine Martin Gregorie. Unless I stuff up in my advice developers mostly don't chip in.
<b>This is the problem you turn CAP_NET_BIND_SERVICE on wine too many thing also get access to that permission. Things you many not want having access to that permission.</b>
I should have been more direct. Capabilities set on wine do inherit threw. Wine is coded that way. CAP_NET_BIND_SERVICE is required so a few game servers work from wine. This is only done if there is no native version of that game server as well. Risks are too high to be doing it out of lazyness.
Biggest problem with CAP_NET_BIND_SERVICE is that it exists to prevent conflits and secuirty breaches. Like a user running there own dns server and over riding the system dns server so allowing man in middle attack. Basically lot of services using under 1024 are critical services for secuirty.
Using capabilities when you should not be opens up whole stack of problems. Number 1 wine does not have user separation so unless you are really really careful items that should not have it get it.
Problem here Martin Gregorie what mc2718 is asking todo. Is not safe or highly costly on system resources. There is no valid reason to be doing it.
There is a good invalid reason pure lazyness. I don't care if I screw up system I just want it to work now.
Basically mc2718 or anyone else us capabilities without valid grounds if your system ends up developing lots of strange problems don't complain to us. You would have brought it on yourself.
Its the same policy we have for people running as root without grounds. There are no valid reason ever to run wine as root on Linux. There are some platforms where there is no other option in some case to use root with wine ie no capabilities to hand out permissions.
There are some valid reasons to use capabilities with wine on Linux but they are strictly limited.
Ie Policy of wine support. You use your alter you OS secuirty without valid reason you are on your own.
Beaware everyone wine can run some windows viruses and other harmful programs. If these risks did not exist caps most likely would have been granted off the start line.
<b>This is the problem you turn CAP_NET_BIND_SERVICE on wine too many thing also get access to that permission. Things you many not want having access to that permission.</b>
I should have been more direct. Capabilities set on wine do inherit threw. Wine is coded that way. CAP_NET_BIND_SERVICE is required so a few game servers work from wine. This is only done if there is no native version of that game server as well. Risks are too high to be doing it out of lazyness.
Biggest problem with CAP_NET_BIND_SERVICE is that it exists to prevent conflits and secuirty breaches. Like a user running there own dns server and over riding the system dns server so allowing man in middle attack. Basically lot of services using under 1024 are critical services for secuirty.
Using capabilities when you should not be opens up whole stack of problems. Number 1 wine does not have user separation so unless you are really really careful items that should not have it get it.
Problem here Martin Gregorie what mc2718 is asking todo. Is not safe or highly costly on system resources. There is no valid reason to be doing it.
There is a good invalid reason pure lazyness. I don't care if I screw up system I just want it to work now.
Basically mc2718 or anyone else us capabilities without valid grounds if your system ends up developing lots of strange problems don't complain to us. You would have brought it on yourself.
Its the same policy we have for people running as root without grounds. There are no valid reason ever to run wine as root on Linux. There are some platforms where there is no other option in some case to use root with wine ie no capabilities to hand out permissions.
There are some valid reasons to use capabilities with wine on Linux but they are strictly limited.
Ie Policy of wine support. You use your alter you OS secuirty without valid reason you are on your own.
Beaware everyone wine can run some windows viruses and other harmful programs. If these risks did not exist caps most likely would have been granted off the start line.
-
Martin Gregorie
binding to privileged Linux ports (<= 1024)
On Sat, 2010-02-06 at 19:18 -0600, oiaohm wrote:
giving it superuser privileges.
it WOULD NOT be running under Wine. If I *had* to give that sort of
access to a Wine app I'd probably leave it in userland and make it use a
proxy daemon.
problem. He should know what he is doing before he tries any of these
tricks; if he doesn't understand the issues but tries it anyway then he
deserves all the grief he'll get.
That is why I merely listed manpages to read and did not say anything
about how to use the functions they describe. If the OP doesn't read
them and think about what he's read he is unlikely to make anything
work, and if he does read up on these functions and doesn't think about
the problems and security holes he may cause then if bad things happen
he has only himself to blame.
If he does this to anybody else's equipment then his liability insurance
cover had better be sufficient and the premium fully paid up.
"security features", including the ability to let the lazy-minded give
ordinary users System Administrator capability, that people think super
user restrictions are only there to annoy them.
All too many people need a severe thrashing with a cluestick if they are
ever to unlearn these habits.
Martin
Agreed.This is the problem you turn CAP_NET_BIND_SERVICE on wine too many
thing also get access to that permission. Things you many not want
having access to that permission.
That's good to know. Thanks.I should have been more direct. Capabilities set on wine do inherit
threw. Wine is coded that way.
Agreed again, but its probably better than running the app as root orCAP_NET_BIND_SERVICE is required so a few game servers work from
wine. This is only done if there is no native version of that game
server as well. Risks are too high to be doing it out of lazyness.
giving it superuser privileges.
No argument here. I'd normally run that type of process as a daemon andBiggest problem with CAP_NET_BIND_SERVICE is that it exists to prevent
conflits and secuirty breaches. Like a user running there own dns
server and over riding the system dns server so allowing man in middle
attack. Basically lot of services using under 1024 are critical
services for secuirty.
it WOULD NOT be running under Wine. If I *had* to give that sort of
access to a Wine app I'd probably leave it in userland and make it use a
proxy daemon.
Agreed again, but if somebody wants to stuff up his own system thats hisProblem here Martin Gregorie what mc2718 is asking todo. Is not safe
or highly costly on system resources. There is no valid reason to be
doing it.
problem. He should know what he is doing before he tries any of these
tricks; if he doesn't understand the issues but tries it anyway then he
deserves all the grief he'll get.
That is why I merely listed manpages to read and did not say anything
about how to use the functions they describe. If the OP doesn't read
them and think about what he's read he is unlikely to make anything
work, and if he does read up on these functions and doesn't think about
the problems and security holes he may cause then if bad things happen
he has only himself to blame.
If he does this to anybody else's equipment then his liability insurance
cover had better be sufficient and the premium fully paid up.
Quite.Basically mc2718 or anyone else us capabilities without valid grounds
if your system ends up developing lots of strange problems don't
complain to us. You would have brought it on yourself.
Unfortunately Windows NT onwards has such laughable and misdesignedIts the same policy we have for people running as root without
grounds. There are no valid reason ever to run wine as root on Linux.
"security features", including the ability to let the lazy-minded give
ordinary users System Administrator capability, that people think super
user restrictions are only there to annoy them.
All too many people need a severe thrashing with a cluestick if they are
ever to unlearn these habits.
Martin
Basically Martin we are one of the first cluesticks they run into. Just telling them how to do stuff they will keep on repeating there bad ways. Then come back and blame wine or people giving assistance for destorying there system.
Wine does not deserve blame for stupidity. Remember lot of people will not take responsibility for there own actions and seek to blame others.
You will learn this after a few years supporting wine. ie Don't give how to alter secuirty until you have check that the user know what they are doing.
Sorry if I seam strict. When I was starting out I was more lax and saw wine get blamed for things it should never had been. Like running as root and losing complete OS due to a windows virus running in wine. Those people came back demanding that wine should be more like a virtual machine. Not accepting their stupidity.
Wine does not deserve blame for stupidity. Remember lot of people will not take responsibility for there own actions and seek to blame others.
You will learn this after a few years supporting wine. ie Don't give how to alter secuirty until you have check that the user know what they are doing.
Sorry if I seam strict. When I was starting out I was more lax and saw wine get blamed for things it should never had been. Like running as root and losing complete OS due to a windows virus running in wine. Those people came back demanding that wine should be more like a virtual machine. Not accepting their stupidity.
Guys, thanks for the information. There is no need to worry about me, I will be fine. Same goes regarding fears of my keeping track of what I do, or complaints about wine. The only alarming thing mentioned above is this one:
"Wine has had to so games and other bad behaving programs work emulate some of the flaws in the windows networking stack. So anything running on top is not 100 percent secure and more likely to be a security risk than using native."
As far as my box is concerned, nothing will be able to get in from the outside, whether I have it actually on the network or not, thanks to the firewall (potential future SSH vulnerabilities aside). But it is an interesting thought that I could run the policy server and the web server on in Linux... will look into that.
One last question: would having two 'wine' executables, say original 'wine' and 'wine-open' work, where wine-open has the capability turned on so that I could use that when I need it? I.e., does wine rely on having the name 'wine' for its main executable?
"Wine has had to so games and other bad behaving programs work emulate some of the flaws in the windows networking stack. So anything running on top is not 100 percent secure and more likely to be a security risk than using native."
As far as my box is concerned, nothing will be able to get in from the outside, whether I have it actually on the network or not, thanks to the firewall (potential future SSH vulnerabilities aside). But it is an interesting thought that I could run the policy server and the web server on in Linux... will look into that.
One last question: would having two 'wine' executables, say original 'wine' and 'wine-open' work, where wine-open has the capability turned on so that I could use that when I need it? I.e., does wine rely on having the name 'wine' for its main executable?
-
James McKenzie
binding to privileged Linux ports (<= 1024)
mc2718 wrote:
should you. The only totally secure system is that which is not
connected to ANY network and whose data inputs are throughly scanned for
input failures.
your executables to a script that calls the appropriate one and to
rename both of them to something else. You can then restrict execution
of them to the local machine only.
James McKenzie
I don't rely on firewalls for security and for good reason. NeitherAs far as my box is concerned, nothing will be able to get in from the outside, whether I have it actually on the network or not, thanks to the firewall (potential future SSH vulnerabilities aside). But it is an interesting thought that I could run the policy server and the web server on in Linux... will look into that.
should you. The only totally secure system is that which is not
connected to ANY network and whose data inputs are throughly scanned for
input failures.
To answer this question: NO. However, it may be wise to link both ofOne last question: would having two 'wine' executables, say original 'wine' and 'wine-open' work, where wine-open has the capability turned on so that I could use that when I need it? I.e., does wine rely on having the name 'wine' for its main executable?
your executables to a script that calls the appropriate one and to
rename both of them to something else. You can then restrict execution
of them to the local machine only.
James McKenzie
mc2718 good secuirty is like a onion. You have layers.
Firewall is only one layer. DAC permissions are another. MAC permissions are another. Physical controls are another.
At the firewall layer I use single packet port knocking to open the ssh. So it is hidden most of the time.
Also the least number of not security layers the better. Ie wine is a non secuirty layer.
Always remembering any one layer could fail one day. Each layer reduces the risk or complete failure.
Secuirty what got my fear of you mc2718. People from a windows background have the problem of putting too much faith in anti-viruses and firewalls. Where good secuirty from the Unix/Linux world teaches you not to depend on them.
Firewall is only one layer. DAC permissions are another. MAC permissions are another. Physical controls are another.
At the firewall layer I use single packet port knocking to open the ssh. So it is hidden most of the time.
Also the least number of not security layers the better. Ie wine is a non secuirty layer.
Always remembering any one layer could fail one day. Each layer reduces the risk or complete failure.
Secuirty what got my fear of you mc2718. People from a windows background have the problem of putting too much faith in anti-viruses and firewalls. Where good secuirty from the Unix/Linux world teaches you not to depend on them.
-
James McKenzie
binding to privileged Linux ports (<= 1024)
oiaohm wrote:
to keep my job.
In any case, a firewall, with a host based security system can be and is
a lot of fun.
James McKenzie
Or doing a massive study for the CISSP/IASSP exam. I have to get thismc2718 good secuirty is like a onion. You have layers.
Firewall is only one layer. DAC permissions are another. MAC permissions are another. Physical controls are another.
At the firewall layer I use single packet port knocking to open the ssh. So it is hidden most of the time.
Also the least number of not security layers the better. Ie wine is a non secuirty layer.
Always remembering any one layer could fail one day. Each layer reduces the risk or complete failure.
Secuirty what got my fear of you mc2718. People from a windows background have the problem of putting too much faith in anti-viruses and firewalls. Where good secuirty from the Unix/Linux world teaches you not to depend on them.
to keep my job.
In any case, a firewall, with a host based security system can be and is
a lot of fun.
James McKenzie
