Re: allow process or user to listen on priviledged ports?

[Nick Craig-Wood]

On Wed, Dec 24, 2003 at 05:43:09PM +0100, Sven K?hler wrote:
> my problem is, that i want an application to listen on a priviledged 
> port (e.g. port 80) and to run as a "normal" unpriviledged user

I would give your application this capability (from #include "linux/capability.h")

  /* Allows binding to TCP/UDP sockets below 1024 */
  /* Allows binding to ATM VCIs below 32 */

  #define CAP_NET_BIND_SERVICE 10

You do this with a setuid wrapper which drops all capabilities but
that one and then runs your application.

One day there will be a way of doing this in the filing system, so
instead of doing a chmod u+s you do a chmod +CAP_NET_BIND_SERVICE or
something!  Until then use a setuid wrapper....

Here is a FAQ

  http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt

Actually the FAQ mentions sucap which seems to be a fairly standard
program (its in Debian anyway!).  You could use this too...

-- 
Nick Craig-Wood
ncw1@xxxxxxxxxxxxxxxx
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/