LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-02-2002, 08:00 AM   #1
ugenn
Member
 
Registered: Apr 2002
Posts: 549

Rep: Reputation: 30
Controlling port access?


How can I allow only trusted apps (ie administrator installed daemons) to bind to certain ports?
 
Old 05-02-2002, 12:53 PM   #2
Norel
Member
 
Registered: Apr 2002
Location: Italy
Distribution: RockLinux
Posts: 35

Rep: Reputation: 15
Installing apps without being root isn't too simple ... but more important only root can bind "input" ports, so no app can bind to a port and listen for an input connection whithout having root privileges (at least for binding time) AND only root (or a good cracker ) can give it root privileges.

So simplifing:

Only root "installed" daemons can bind "input" ports!

Just for info there are systems configured in special ways that can permit to non-root to bind ports using capabilities ... but it isn't your case.
 
Old 05-11-2002, 05:03 PM   #3
koningshoed
Member
 
Registered: May 2002
Location: South Africa
Distribution: Gentoo
Posts: 103

Rep: Reputation: 15
Is it supposed to be that way? On my system any odd program can bind to a port higher than 1023 and only suid root programs (or started by root) can open on lower than that.

Which brings up the question: Is it possible to allow a specific program (not started by root and not suid root) to bind on a specific port lower than 1024? So to start up apache not as root but as something else and to still allow it to bind to port 80.

ps. I'm aware the actual workers of apache runs as nobody.
 
Old 05-13-2002, 01:39 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I theory any user having access to Linux capabilities like CAP_NET_BIND_SERVICE is able to bind to ports below 1024.
In reality this is a root user privilege.
In your example Apache will start up as root, bind to the port and then drop it's privileges to the user mentioned in the conf. IMHO there's no other way this would work, and if there where I'm pretty much sure it'll be a major PITA to administer :-]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Controlling external electronics via the serial port... anybody know anything? Napalm Llama Linux - Hardware 11 02-20-2005 06:46 AM
controlling Tx voltage of IRDA port with FC2 adem0rdna Linux - Hardware 0 11-05-2004 10:43 AM
Controlling serial port RTS pin from 'C' program dcarter Slackware 1 09-26-2003 07:01 PM
controlling access lomaree Linux - Security 2 07-16-2003 09:51 AM
Controlling port access? ugenn Linux - Networking 1 05-02-2002 09:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration