In Linux you have to be root in order to listen to TCP or UDP ports below 1024 (the
well-known ports). As far as I know, this limit is hardcoded in the kernel.
In some cases, this limit do more harm than good, so it would be nice to be able to adjust it.
FreeBSD have a pair of sysctl parameters allowing you to adjust (or effectively remove) this
limit, net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh. It would
be nice if something similar to net.inet.ip.portrange.reservedhigh was implemented in Linux
(with default value 1023).
I have no patch for this, since I have never done any kernel hacking before. But it seems
like it should be easy to implement by replacing the PROT_SOCK constant with
net.inet.ip.portrange.reservedhigh + 1.
(See my blog post for a more elaborate discussion about this:
http://www.staldal.nu/tech/2007/10/31/why-can-only-root-listen-to-ports-below-1024/)
/Mikael
On Tue, 20 Nov 2007 11:14:59 +0100
Mikael Ståldal <[email protected]> wrote:
> In Linux you have to be root in order to listen to TCP or UDP ports below 1024 (the
> well-known ports). As far as I know, this limit is hardcoded in the kernel.
>
> In some cases, this limit do more harm than good, so it would be nice to be able to adjust it.
The proper way to enable port <= 1024 binding support is adding CAP_NET_BIND_SERVICE to the process capability set, e.g. by using file-system capabilities.
On Tue, 20 Nov 2007 17:09:35 +0100
Mikael Ståldal <[email protected]> wrote:
> Hello.
>
> > The proper way to enable port <= 1024 binding support is adding CAP_NET_BIND_SERVICE
> > to the process capability set, e.g. by using file-system capabilities.
>
> Is file-system capabilites part of the stable official Linux kernel? From which version?
> How do I use it?
>
They were recently added in 2.6.24-rc1.
(mostly commit b53767719b6cd8789392ea3e7e2eb7b8906898f0)
The patch should be easy to backport, I've seen it in various
distro kernels.
According to the commit, documentation is at
http://www.friedhoff.org/fscaps.html
Some programs already have capability support - they
drop all permissions they don't need.
Radoslaw Szkodzinski (AstralStorm) skrev:
>> In Linux you have to be root in order to listen to TCP or UDP ports below 1024 (the
>> well-known ports). As far as I know, this limit is hardcoded in the kernel.
>
> The proper way to enable port <= 1024 binding support is adding CAP_NET_BIND_SERVICE to
> the process capability set, e.g. by using file-system capabilities.
And how do you protect ports >1024 from any user binding to them?
Isn't the 1024 limit somewhat obsolete and arbitrary today?
/Mikael
Mikael Ståldal wrote:
> And how do you protect ports >1024 from any user binding to them?
>
> Isn't the 1024 limit somewhat obsolete and arbitrary today?
No, it is not obsolete, yes, it always was arbitrary.
You prevent users from binding to those ports by only giving
applications that need to the capability, and only letting the users
that need to have execute permission to those programs.
Phillip Susi skrev:
> Mikael Ståldal wrote:
>> And how do you protect ports >1024 from any user binding to them?
>
> You prevent users from binding to those ports by only giving
> applications that need to the capability, and only letting the users
> that need to have execute permission to those programs.
I think you misunderstood my question.
How do you protect ports greater than 1024 from any user binding to them? E.g. port 1080.
/Mikael
Casey Schaufler skrev:
>> How do you protect ports greater than 1024 from any user binding to them?
>> E.g. port 1080.
>
> Should the OS manage port number allocations? I don't think so
> based on the notion of ports being names in an uncontrolled flat
> namespace. The whole problem is that people want to make assumptions
> about the applications providing services on a particular port, and
> no amount of OS control is going to solve that one.
This means that the OS should allow any user to bind to all ports, even those <1024.
/Mikael