It's very annoying to have this limitation on my development box, when there won't ever be any users other than me.
I'm aware of the standard workarounds, but none of them do exactly what I want:
Is there some simple sysctl
variable to allow non-root processes to bind to "privileged" ports (ports less than 1024) on Linux, or am I just out of luck?
EDIT: In some cases, you can use capabilities to do this.
The ports that a Linux service binds to are categorically defined as either untrusted or trusted ports. The ports defined under TCP and UDP are considered “trusted ports”. A user can communicate with a trusted port through an untrusted port.
Priviliged portsThe TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feaure, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.
The capability we need to add is CAP_NET_BIND_SERVICE , which is explicitly defined as the capacity for an executable to bind to a port less than 1024. You need to be root to do that, so first, be root. Then, add the capability to the httpd binary: root@myhost # setcap cap_net_bind_service=+ep /usr/sbin/httpd.
Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE
capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:
setcap 'cap_net_bind_service=+ep' /path/to/program
And then anytime program
is executed thereafter it will have the CAP_NET_BIND_SERVICE
capability. setcap
is in the debian package libcap2-bin
.
Now for the caveats:
program
that has elevated privileges like setcap
or suid
. So if your program
uses its own .../lib/
, you might have to look into another option like port forwarding.Resources:
setcap
.Note: RHEL first added this in v6.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With