MacOS Mojave 10.14 no longer enforces privileged ports

17 points

8 years ago

I originally submitted this as a bug report to Apple security, but after a couple back-and-forth emails, their response was that "Processes are no longer required to run as root to bind to port numbers less than 1024." While there is debate as to whether or not this is useful security anyway, it came as a surprise to me.

This is in contradiction to their current documentation here: https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/AccessControl.html

Now in 10.14, any application, regardless of the user's privileges, can bind to typical reserved ports, such as 22, 80, 443, etc. etc.

Example server using netcat:

  nc -l 0.0.0.0 80
  hello world

Example client:

  echo "hello world" | nc <ip address> 80

Note that their implementation is actually buggy, as binding to anything other than INADDR_ANY (0.0.0.0 or :: for IPv6) requires root privileges:

  nc -l 127.0.0.1 80
  nc: Permission denied

The standard macOS firewall protections still apply (if enabled), so the impact depends on the actual system configuration.