How do I grant permission on port <1024 to a usr?
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 9 of 9
  1. #1
    Join Date
    Jul 2006
    Posts
    110
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How do I grant permission on port <1024 to a usr?

    Guys: I'd like to run a web server on port 80, but would like not to use root. How do I do that?

  2. #2
    Join Date
    Aug 2005
    Location
    Ann Arbor
    Age
    53
    Posts
    3,947
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    port 80 is always open for all users .
    That is unless YOU as root CLOSED it .
    OpenSUSE 13.2-64bit & Scientific Linux 6.6-64bit ( fedora 4 to 11) and 20 on KVM
    My Celestia Downloads

    h t t p ://celestiamotherlode.net/catalog/show_creator_details.php?creator_id=10

  3. #3
    Join Date
    Jan 2006
    Location
    São Paulo, Brazil
    Age
    36
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not really. Normal users can't listen any port under 1024.

    Code:
    [pedro@pmatiello ~]$ nc -l 80
    nc: Permission denied
    But you can listen on a higher port and user iptables to redirect the traffic. Open the firewall configuration tool (System->Config->Firewall) and then add a new rule on Port Forwarding section (something like from TCP port 80 to 127.0.0.1 port 8080).
    -- Pedro Matiello

  4. #4
    Join Date
    Jul 2006
    Posts
    110
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you guys. Port forwarding solved the problem. But still curious if there is a way to grant the permission?

  5. #5
    aleph's Avatar
    aleph is offline Banned (for/from) behaving just like everybody else!
    Join Date
    Jul 2007
    Location
    Nanjing, China
    Posts
    1,332
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    They are called "privileged ports" for a reason...
    Code:
    from rlyeh import cthulhu
    cthulhu.fhtagn()

  6. #6
    Join Date
    Jul 2006
    Posts
    110
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Guys, Found another way:

    login as root, then:
    chmod +s mywebserver

  7. #7
    stevea Guest
    In the good old days root could open the ports (<1024), so you could create a setuid program (see chmod +s for detail).

    The capabilities (see man 7 capabilities) schema requires that you have CAP_NET_BIND_SERVICE capabilities to open ports <1024 for listening. Capabilities is currently in flux in Linux ... not fully implemented, the user space tools have changed recently. On F10 you'd use 'setcap' to set the 'forced' capability of the executable file - or else you'd use setpcap to set process capability (but setpcap is missing).

    With SELinux the situation is as clear as mud - you must understand the policy wrt the socket objects. Generally under the Fedora SEL policy the root account runs processes with a sysadmin 'user' and appropriate role and domain to permit the 'mojo' needed to do rooty stuff. See that the typical service has this SEL context. "system_u:object_r:bin_t" (some vaying domains(types)) which may be sufficient.

    I just looked (2.6.26.1 kernel - close enough) at the code and the <1024 test ONLY references the CAP_NET_BIND capability - so that is what you need. For example:
    linux-2.6.26-1/net/ipv4/af_inet.c: if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))

    ==

    To do this on F10 use the following command:
    su -
    setcap cap_net_bind_service=ep your-program-name


    getcap program-name will show the program's capabilities.


    This will give the program the specific "CAP_NET_BIND_SERVICE" regardless of who runs it.
    Last edited by stevea; 12th December 2008 at 05:08 AM.

  8. #8
    stevea Guest
    Quote Originally Posted by RobinQi
    Guys, Found another way:

    login as root, then:
    chmod +s mywebserver

    That solution will work but be aware of two things ... EVERYTHING that program does is privileged as root(or whoever owns the file). So if the program writes or reads or executes files a sneaker might be able to use it gain system control. The other point is that once capabilities is fully implemented root will no longer be a privileged account and the file setuid bit will be mostly pointless.

  9. #9
    Join Date
    Jul 2006
    Posts
    110
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Steve, This is the 2nd time you solved my problem.
    Yeah, I realized the chmod is a bad idea since the binary will run as root. For now I will stay with port forwarding.
    I have never used capabilities before, though heard it all the time, maybe that's the next step.

Similar Threads

  1. How do I grant all permissions?
    By Razrien in forum Using Fedora
    Replies: 2
    Last Post: 1st October 2008, 12:32 AM
  2. Grant amount of network traffic
    By and_woox in forum Programming & Packaging
    Replies: 4
    Last Post: 17th January 2008, 10:34 AM
  3. 1024 x 768 Display Issues
    By Ug in forum Hardware & Laptops
    Replies: 5
    Last Post: 11th February 2004, 01:32 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •