LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-24-2010, 11:23 PM   #1
suddenlyalice
LQ Newbie
 
Registered: Oct 2010
Posts: 3

Rep: Reputation: 0
Does SELinux allow Non-root user bind to port <1024


Hi,

I am new to SELiux, I am just starting reading on SELinux...

My understanding is SELinux adds type enforcement to standard Linux. This means that both the standard Linux and enhanced SELinux access controls must be satisfied to access an object. Which means that thing that is prevented to do in the normal standard Linux will be also prevented in the SELinux System?

Does SELinux make it possible to run a non-root software to bind to a port < 1024? something that standard Linux won't allow?

If not, what other suggestions do you have for allowing a program to run as non-root but able to bind to privileged ports? I know all about using the port re-direction such as ipchains, iptables. .. but I am trying to avoid them.

Thanks
 
Old 10-24-2010, 11:32 PM   #2
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
SELinux and standard Linux work together to determine what is allowed. If EITHER prevents something, then it doesn't happen. So, no, non-root software can't bind to a port below 1024, so SELinux isn't going to help that. If that is what you are trying to accomplish, look into jscv:

http://commons.apache.org/daemon/jsvc.html

HTH

Forrest
 
Old 10-25-2010, 04:58 AM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
If not, what other suggestions do you have for allowing a program to run as non-root but able to bind to privileged ports? I know all about using the port re-direction such as ipchains, iptables. .. but I am trying to avoid them.
Programs can be run as a root user by launching them with the sudo command, which would allow it to do things like bind to ports below 1024. This requires you to enter a password by definition.

Normally, most applications that require root access are performed at startup as a child of the init process which does run as root. As a safety measure applications like Apache, which require this ability to bind to ports below 1024 spawn a non privileged user account, drop their root privilege and then run under the lower privilege account. There is no easy way for an application to "gain root" privilege as doing so would be a major security problem.
 
Old 10-25-2010, 05:14 AM   #4
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
Noway2, I took it to mean that suddenlyalice is trying to launch a program that is run as a normal user with the ability to talk on a privileged port. Typically this discussion comes up w/ Tomcat because Java cannot respawn a process as a different user. This means that (in the past) if you wanted to launch Tomcat on port 80, you had to run it as root. If you didn't want to run it as root, you couldn't put it on the standard port. This is the reason that jsvc was created. I'm not sure if suddenlyalice is referring to Tomcat or not, but the concepts that jsvc use can be applied to any daemon.

HTH

Forrest
 
Old 10-26-2010, 04:59 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Forrest, I understand your posts now. This jsvc sounds like a neat application. I was coming at this from a different perspective. My background is in embedded systems programming and I tend to write a lot of "low level" stuff. I was thinking of this problem in terms of writing a small script or application that would bind to a privileged port for standards compatibility.

This thread has left me wondering if this type of problem, in general, can be solved via the setuid bits? In which case the owner would have to be root with others set to executable would it not? While it isn't something that you would necessarily want to do very often, there are times when you would want to override the default security and run applications with root privilege.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Allowing non-root to bind to ports < 1024? MWTJ Linux - Networking 8 08-12-2011 07:06 PM
need permission for apache-launched daemon to bind on port under 1024 sneakyimp Programming 2 05-05-2009 08:56 PM
Is REALLY under appli using port < 1024 Root ? PlatinumX Linux - Security 7 11-17-2008 07:33 AM
non-root bind to port 389 biddljj Linux - Server 1 07-26-2007 12:44 PM
how to bind a <1024 port number with a non root users linuxlouis Linux - Networking 0 08-11-2003 11:10 AM


All times are GMT -5. The time now is 02:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration