How to make non-root User Programs in Linux use ports smaller than 1024

How to make non-root User Programs in Linux use ports smaller than 1024

In Linux, ports lower than 1024 can be used only under root by default. If you try to use ports below, an error is returned. Sometimes, we may consider running the program under the root account, but this may bring security risks to the Linux system. How can we enable a program running by a non-root user to enable ports smaller than 1024 externally?

This article attempts to provide some methods:

(The question map is from wordpress.com)

 

Method 1: SetUID

Set the user ID for the user's application in the execution bit so that the program can run with the root permission. This method allows the program to run as in the root, but you need to be very careful, this method also brings security risks, especially when the program to be executed has security risks.

The method is as follows:

1. chown root.root /path/to/application
2. # Use SetUID
3. chmod u+s /path/to/application

We can see that in the system,/usr/bin/passwdThis type of file uses SetUID, so that every system can usepasswdTo change the password -- this is to be modified/etc/passwd(Only root has the permission ).

Since non-root users are required to run the program, the purpose is to reduce the security risks that the program itself brings to the system. Therefore, this method should be used with special caution.

 

Method 2: CAP_NET_BIND_SERVICE

Starting from version 2.1, the Linux kernel has the concept of capabilities, which allows common users to do the work that only super users can do, including using ports.

ObtainCAP_NET_BIND_SERVICECapability, even if the service is running under a non-root account, it can be banding to a low port. Usage:

1. # Set CAP_NET_BIND_SERVICE
2. setcap cap_net_bind_service =+ep /path/to/application

Note:

1. This method is not applicable to all Linux systems. The kernel was not provided before 2.1. Therefore, you need to check whether the system where the method is to be used is supported;

2. Note that if the program file to be run is a script, this method cannot work normally.

 

Method 3: Port Forwarding

If the program to be run has the permission to listen to other ports, this method can be used. First, let the program run under a non-root account and bind a port higher than 1024, when ensuring normal operation, the lower port is forwarded through the port and the lower port is forwarded to the higher port, so that non-root programs can bind the lower port. To use this method, you can use the following method:

1. # Enable the IP FORWARD kernel parameter.
2. sysctl -w net.ipv4.ip_forward=1
3. # Use iptables rules to redirect packets
4. iptables -F -t nat
5. iptables -t nat -A PREROUTING -p tcp --dport 80-j DNAT --to:8088

Step 1sysctlMake sure that the ip forward function is enabled (this function is disabled by default in Red Hat/CentOS). Note thatsysctlThe setting is temporary and will be reset after restart. If you want to save it for a long time, you must/etc/sysctl.confFile modification:

1. # Default value is 0, need change to 1.
2. # net.ipv4.ip_forward = 0
3. net.ipv4.ip_forward =1

Then load the new configuration from the file.

1. # load new sysctl.conf
2. sysctl -p /etc/sysctl.conf
3. # or sysctl -p
4. # default filename is /etc/sysctl.conf

Step 2: UseiptablesTo forward the port to the port where the program is located. In this example, we will forward port 80 to port 8088.

This method can better achieve our goal. Our program can run through non-root users and provide services with low port numbers.

 

Method 4: RINETD

This method also uses port forwarding. This tool can map local ports to remote ports. However, this function is a little tricky for our current function, after all, we have added an additional program, which may increase the risk of our system. No recommendation is made here.

(Reprinted in the original article and modified in detail)

This article permanently updates the link address: