Re: allow process or user to listen on priviledged ports?
From: Nick Craig-Wood
Date: Thu Dec 25 2003 - 05:47:23 EST
On Wed, Dec 24, 2003 at 05:43:09PM +0100, Sven K?hler wrote:
> my problem is, that i want an application to listen on a priviledged
> port (e.g. port 80) and to run as a "normal" unpriviledged user
I would give your application this capability (from #include "linux/capability.h")
/* Allows binding to TCP/UDP sockets below 1024 */
/* Allows binding to ATM VCIs below 32 */
#define CAP_NET_BIND_SERVICE 10
You do this with a setuid wrapper which drops all capabilities but
that one and then runs your application.
One day there will be a way of doing this in the filing system, so
instead of doing a chmod u+s you do a chmod +CAP_NET_BIND_SERVICE or
something! Until then use a setuid wrapper....
Here is a FAQ
http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt
Actually the FAQ mentions sucap which seems to be a fairly standard
program (its in Debian anyway!). You could use this too...
--
Nick Craig-Wood
ncw1@xxxxxxxxxxxxxxxx
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/