LinuxAnswers - the LQ Linux tutorial section.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 05-02-2002, 08:00 AM   #1
Registered: Apr 2002
Posts: 549

Rep: Reputation: 30
Controlling port access?

How can I allow only trusted apps (ie administrator installed daemons) to bind to certain ports?
Old 05-02-2002, 12:53 PM   #2
Registered: Apr 2002
Location: Italy
Distribution: RockLinux
Posts: 35

Rep: Reputation: 15
Installing apps without being root isn't too simple ... but more important only root can bind "input" ports, so no app can bind to a port and listen for an input connection whithout having root privileges (at least for binding time) AND only root (or a good cracker ) can give it root privileges.

So simplifing:

Only root "installed" daemons can bind "input" ports!

Just for info there are systems configured in special ways that can permit to non-root to bind ports using capabilities ... but it isn't your case.
Old 05-11-2002, 05:03 PM   #3
Registered: May 2002
Location: South Africa
Distribution: Gentoo
Posts: 103

Rep: Reputation: 15
Is it supposed to be that way? On my system any odd program can bind to a port higher than 1023 and only suid root programs (or started by root) can open on lower than that.

Which brings up the question: Is it possible to allow a specific program (not started by root and not suid root) to bind on a specific port lower than 1024? So to start up apache not as root but as something else and to still allow it to bind to port 80.

ps. I'm aware the actual workers of apache runs as nobody.
Old 05-13-2002, 01:39 AM   #4
Registered: May 2001
Posts: 28,826
Blog Entries: 55

Rep: Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342
I theory any user having access to Linux capabilities like CAP_NET_BIND_SERVICE is able to bind to ports below 1024.
In reality this is a root user privilege.
In your example Apache will start up as root, bind to the port and then drop it's privileges to the user mentioned in the conf. IMHO there's no other way this would work, and if there where I'm pretty much sure it'll be a major PITA to administer :-]


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Controlling external electronics via the serial port... anybody know anything? Napalm Llama Linux - Hardware 11 02-20-2005 06:46 AM
controlling Tx voltage of IRDA port with FC2 adem0rdna Linux - Hardware 0 11-05-2004 10:43 AM
Controlling serial port RTS pin from 'C' program dcarter Slackware 1 09-26-2003 07:01 PM
controlling access lomaree Linux - Security 2 07-16-2003 09:51 AM
Controlling port access? ugenn Linux - Networking 1 05-02-2002 09:13 AM

All times are GMT -5. The time now is 03:35 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration