Does SELinux allow Non-root user bind to port <1024
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Does SELinux allow Non-root user bind to port <1024
Hi,
I am new to SELiux, I am just starting reading on SELinux...
My understanding is SELinux adds type enforcement to standard Linux. This means that both the standard Linux and enhanced SELinux access controls must be satisfied to access an object. Which means that thing that is prevented to do in the normal standard Linux will be also prevented in the SELinux System?
Does SELinux make it possible to run a non-root software to bind to a port < 1024? something that standard Linux won't allow?
If not, what other suggestions do you have for allowing a program to run as non-root but able to bind to privileged ports? I know all about using the port re-direction such as ipchains, iptables. .. but I am trying to avoid them.
SELinux and standard Linux work together to determine what is allowed. If EITHER prevents something, then it doesn't happen. So, no, non-root software can't bind to a port below 1024, so SELinux isn't going to help that. If that is what you are trying to accomplish, look into jscv:
If not, what other suggestions do you have for allowing a program to run as non-root but able to bind to privileged ports? I know all about using the port re-direction such as ipchains, iptables. .. but I am trying to avoid them.
Programs can be run as a root user by launching them with the sudo command, which would allow it to do things like bind to ports below 1024. This requires you to enter a password by definition.
Normally, most applications that require root access are performed at startup as a child of the init process which does run as root. As a safety measure applications like Apache, which require this ability to bind to ports below 1024 spawn a non privileged user account, drop their root privilege and then run under the lower privilege account. There is no easy way for an application to "gain root" privilege as doing so would be a major security problem.
Noway2, I took it to mean that suddenlyalice is trying to launch a program that is run as a normal user with the ability to talk on a privileged port. Typically this discussion comes up w/ Tomcat because Java cannot respawn a process as a different user. This means that (in the past) if you wanted to launch Tomcat on port 80, you had to run it as root. If you didn't want to run it as root, you couldn't put it on the standard port. This is the reason that jsvc was created. I'm not sure if suddenlyalice is referring to Tomcat or not, but the concepts that jsvc use can be applied to any daemon.
Forrest, I understand your posts now. This jsvc sounds like a neat application. I was coming at this from a different perspective. My background is in embedded systems programming and I tend to write a lot of "low level" stuff. I was thinking of this problem in terms of writing a small script or application that would bind to a privileged port for standards compatibility.
This thread has left me wondering if this type of problem, in general, can be solved via the setuid bits? In which case the owner would have to be root with others set to executable would it not? While it isn't something that you would necessarily want to do very often, there are times when you would want to override the default security and run applications with root privilege.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.