Hi, I've run into a problem which it seems like thousands of people must
have come across before, but strangely, I can't figure out a good solution.
I have a program which I want to bind port 80. Normally, in Linux, you must
be root to bind privileged ports (below port 1024), but I DO NOT want to
Nadav Har'El wrote:
So basically, I want to tell linux to allow this process (or any process,
for that manner) to bind any port. I tried using capabilities, but didn't
get it to work (does anyone know if this feature still exists in modern
kernels??),
It's supposed to be a part of SELinux, so
On 11/28/06, Nadav Har'El [EMAIL PROTECTED] wrote:
So basically, I want to tell linux to allow this process (or any process,
for that manner) to bind any port. I tried using capabilities, but didn't
get it to work (does anyone know if this feature still exists in modern
kernels??), and I tried
Quoting Nadav Har'El, from the post of Tue, 28 Nov:
So can anybody suggest an idea on how to let a non-root process bind port
80 on Linux?
not without mucking about in the kernel with special priviliges to
specific users.
What many people do is use (x)inetd or Dan Bernstein's tcpserver to bind
On Tue, Nov 28, 2006 at 09:51:12AM +0200, Nadav Har'El wrote:
Hi, I've run into a problem which it seems like thousands of people must
have come across before, but strangely, I can't figure out a good solution.
I have a program which I want to bind port 80. Normally, in Linux, you must
be
On 11/28/06, Shachar Shemesh [EMAIL PROTECTED] wrote:
Nadav Har'El wrote:
So basically, I want to tell linux to allow this process (or any process,
for that manner) to bind any port. I tried using capabilities, but didn't
get it to work (does anyone know if this feature still exists in modern
Nadav Har'El wrote:
Hi, I've run into a problem which it seems like thousands of people must
have come across before, but strangely, I can't figure out a good solution.
I have a program which I want to bind port 80. Normally, in Linux, you must
be root to bind privileged ports (below port
On Tue, Nov 28, 2006 at 10:13:02AM +0200, Shachar Shemesh wrote:
Nadav Har'El wrote:
So basically, I want to tell linux to allow this process (or any process,
for that manner) to bind any port. I tried using capabilities, but didn't
get it to work (does anyone know if this feature still
Gilad Ben-Yossef wrote:
Prepeare a small library that intercepts call to the libray socket()
and bind() calls and if, according to the parameters, the socket/bind
is for the low port socket, instead of calling the actuall bind/socket
of the library, will simply return the apropriate saved
Muli Ben-Yehuda wrote:
To answer the original question, I would write a wrapper that uses
ptrace to do what's needed, but I'm crazy that way.
Hey! I already suggested that!
Actually, I changed my mind. I think that in this particular case
LD_PRELOAD will probably work better (you need to
On Tue, Nov 28, 2006 at 11:43:53AM +0200, Shachar Shemesh wrote:
Muli Ben-Yehuda wrote:
To answer the original question, I would write a wrapper that uses
ptrace to do what's needed, but I'm crazy that way.
Hey! I already suggested that!
I hope you're not expecting royalties :-)
Muli Ben-Yehuda wrote:
I hope you're not expecting royalties :-)
I'll settle for 20% of the list price.
Actually, I changed my mind. I think that in this particular case
LD_PRELOAD will probably work better (you need to make calls to the
socket from the traced program in order to get the
On Tue, Nov 28, 2006, Ilya Konstantinov wrote about Re: How to bind privileged
ports in a non-root process?:
You might be able to leave some chosen capability with a non-root process
by:
1. Starting as a root process.
2. Eliminating all but the needed capabilities with capset(2
On Tue, Nov 28, 2006 at 11:39:02AM +0200, Shachar Shemesh wrote:
Gilad Ben-Yossef wrote:
Prepeare a small library that intercepts call to the libray socket()
and bind() calls and if, according to the parameters, the socket/bind
is for the low port socket, instead of calling the actuall
Yedidyah Bar-David wrote:
4. Ilya's solution - use iptables to redirect to an unprivileged port.
Simple solutions don't count. Why else would I disregard the SELinux option?
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting ltd.
Have you backed up today's work?
On Tue, Nov 28, 2006 at 11:09:07AM +0200, Ilya Konstantinov wrote:
You might be able to leave some chosen capability with a non-root process
by:
1. Starting as a root process.
2. Eliminating all but the needed capabilities with capset(2) (or
whatever higher-level function there is --
Ilya Konstantinov wrote:
Just to set the facts straight, capabilities are not part of
SELinux.
Ok. Sorry. Don't have any experience with either.
SELinux is a
different shot at this, one which's not derived from capabilities,
so it should not be brought into this discussion.
Doesn't SELinux
On Tue, Nov 28, 2006, Nadav Har'El wrote about Re: How to bind privileged
ports in a non-root process?:
1. Starting as a root process.
2. Eliminating all but the needed capabilities with capset(2) (or
whatever higher-level function there is -- they're undocumented on my
system)
3
On Tue, Nov 28, 2006 at 12:59:40PM +0200, Muli Ben-Yehuda wrote:
On Tue, Nov 28, 2006 at 11:09:07AM +0200, Ilya Konstantinov wrote:
You might be able to leave some chosen capability with a non-root process
by:
1. Starting as a root process.
2. Eliminating all but the needed
Quoting Nadav Har'El, from the post of Tue, 28 Nov:
Privileged ports perhaps made sense for security on mainframe Unix (to
prevent simple users from pretending to the outside world that they
supply services for this machine), but they make little sense today
why is that exactly? I don't want
20 matches
Mail list logo
