LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Does SELinux allow Non-root user bind to port <1024 (http://www.linuxquestions.org/questions/linux-security-4/does-selinux-allow-non-root-user-bind-to-port-1024-a-840233/)

suddenlyalice 10-24-2010 11:23 PM

Does SELinux allow Non-root user bind to port <1024
 
Hi,

I am new to SELiux, I am just starting reading on SELinux...

My understanding is SELinux adds type enforcement to standard Linux. This means that both the standard Linux and enhanced SELinux access controls must be satisfied to access an object. Which means that thing that is prevented to do in the normal standard Linux will be also prevented in the SELinux System?

Does SELinux make it possible to run a non-root software to bind to a port < 1024? something that standard Linux won't allow?

If not, what other suggestions do you have for allowing a program to run as non-root but able to bind to privileged ports? I know all about using the port re-direction such as ipchains, iptables. .. but I am trying to avoid them.

Thanks

forrestt 10-24-2010 11:32 PM

SELinux and standard Linux work together to determine what is allowed. If EITHER prevents something, then it doesn't happen. So, no, non-root software can't bind to a port below 1024, so SELinux isn't going to help that. If that is what you are trying to accomplish, look into jscv:

http://commons.apache.org/daemon/jsvc.html

HTH

Forrest

Noway2 10-25-2010 04:58 AM

Quote:

If not, what other suggestions do you have for allowing a program to run as non-root but able to bind to privileged ports? I know all about using the port re-direction such as ipchains, iptables. .. but I am trying to avoid them.
Programs can be run as a root user by launching them with the sudo command, which would allow it to do things like bind to ports below 1024. This requires you to enter a password by definition.

Normally, most applications that require root access are performed at startup as a child of the init process which does run as root. As a safety measure applications like Apache, which require this ability to bind to ports below 1024 spawn a non privileged user account, drop their root privilege and then run under the lower privilege account. There is no easy way for an application to "gain root" privilege as doing so would be a major security problem.

forrestt 10-25-2010 05:14 AM

Noway2, I took it to mean that suddenlyalice is trying to launch a program that is run as a normal user with the ability to talk on a privileged port. Typically this discussion comes up w/ Tomcat because Java cannot respawn a process as a different user. This means that (in the past) if you wanted to launch Tomcat on port 80, you had to run it as root. If you didn't want to run it as root, you couldn't put it on the standard port. This is the reason that jsvc was created. I'm not sure if suddenlyalice is referring to Tomcat or not, but the concepts that jsvc use can be applied to any daemon.

HTH

Forrest

Noway2 10-26-2010 04:59 AM

Forrest, I understand your posts now. This jsvc sounds like a neat application. I was coming at this from a different perspective. My background is in embedded systems programming and I tend to write a lot of "low level" stuff. I was thinking of this problem in terms of writing a small script or application that would bind to a privileged port for standards compatibility.

This thread has left me wondering if this type of problem, in general, can be solved via the setuid bits? In which case the owner would have to be root with others set to executable would it not? While it isn't something that you would necessarily want to do very often, there are times when you would want to override the default security and run applications with root privilege.


All times are GMT -5. The time now is 10:33 PM.