Re: allow process or user to listen on priviledged ports?

From: Sven Köhler
Date: Thu Dec 25 2003 - 12:53:13 EST

Next message: Giacomo Di Ciocco: "Re: 2.6.0 "Losing too many ticks!""
Previous message: Andreas Jellinghaus: "Re: [PATCH] add sysfs mem device support [2/4]"
In reply to: Sven Köhler: "Re: allow process or user to listen on priviledged ports?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I would give your application this capability (from #include "linux/capability.h")

/* Allows binding to TCP/UDP sockets below 1024 */
/* Allows binding to ATM VCIs below 32 */

#define CAP_NET_BIND_SERVICE 10

You do this with a setuid wrapper which drops all capabilities but
that one and then runs your application.

Thx for the answer! That's exactly what i search for.

Unfortunatly my gladness didn't last long. The FAQ at
http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt states that CAP_SETPCAP is disabled, but it doesn't say why it is disapled. That capability is needed by sucap to work.

So why is CAP_SETPCAP disabled by default?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Giacomo Di Ciocco: "Re: 2.6.0 "Losing too many ticks!""
Previous message: Andreas Jellinghaus: "Re: [PATCH] add sysfs mem device support [2/4]"
In reply to: Sven Köhler: "Re: allow process or user to listen on priviledged ports?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]