Re: allow process or user to listen on priviledged ports?
From: Sven Köhler
Date: Thu Dec 25 2003 - 12:53:13 EST
I would give your application this capability (from #include
"linux/capability.h")
/* Allows binding to TCP/UDP sockets below 1024 */
/* Allows binding to ATM VCIs below 32 */
#define CAP_NET_BIND_SERVICE 10
You do this with a setuid wrapper which drops all capabilities but
that one and then runs your application.
Thx for the answer! That's exactly what i search for.
Unfortunatly my gladness didn't last long. The FAQ at
http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt
states that CAP_SETPCAP is disabled, but it doesn't say why it is
disapled. That capability is needed by sucap to work.
So why is CAP_SETPCAP disabled by default?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/