Juppe writes: > Hey, > > Few weeks ago I built a Tor network into my WAN lab environment and I'm > using Tor version v0.2.3.17-beta. Today I wanted to change nodes DirPorts > to use 80 and OrPorts to use 443 (before they were between 5000-6000) but I > had the following output when I tried to start my directory server and It > was same thing with the other nodes: > > [notice] Opening OR Listener on 0.0.0.0:443 > [warn] Could not bind to 0.0.0.0:443: Permission denied > [notice]Opening Directory listener on 0.0.0.0:80 > [warn]Could not bind to 0.0.0.0:80: Permission denied > > Do I have to somehow run Tor as root or what causes this?
Yes, if you want to listen on a port below 1024. Ports below 1024 are considered "privileged ports" -- an old convention for distinguishing between services run by the system administrator of a machine and services run by other "unprivileged" users. This convention could be useful for security purposes if you imagine that system administrators trust each other for some purposes, or that you trust the system administrator of a certain server but don't trust every user of that server. A specific example is NFS: http://www.lst.de/~okir/blackhats/node67.html In the original NFS design, machines are configured to trust each other and grant each other's requests, but the end users are not necessarily trustworthy so the machines have to decide whether a particular request was authorized by the remote servers system administrator. This did lead to security problems if you had the ability to send packets on the network with an arbitrary source IP address, because requests were not authenticated beyond examination of their source IP address and port number (the same issue applied to the rsh/rlogin service). Some people have suggested that the usefulness of the privileged port convention has decreased a lot over time, but it may still be useful for some purposes. (It seems that the use of public-key cryptography is ultimately better and safer than relying on TCP port numbers as a proof of identity... but, for example, it can be nice that the sysadmin of a multiuser system gets to reserve port 80 for the "official" web server on that system, instead of having a random user come in and set up their own web server there.) Operating systems generally still do enforce the rule, so you still can't bind a privileged port if you aren't root! -- Seth Schoen <[email protected]> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
