in the Linux under, by default 1024x768 The following ports are to be Root can be used under other users, if you try to use it will be an error. At some point, we may consider that the program runs under the root account, but this may pose a security risk to the Linux System. How can you allow a non- root user to run a program that is less than the 1024x768 port?
This article attempts to give some methods:
The first method: SetUID
User is set to the user's application in the execution bit ID Enables the program to be Root permission to run, this method allows the program to be as Root , but you need to be very careful, this approach also poses a security risk, especially if the program you want to execute has a security risk.
The methods used are:
Chown root.root/path/to/application
# Use SetUID
chmod u+s/path/to/application
we can see that under the system, /usr/bin/passwd This kind of file, it uses the SetUID , enabling users of every system to use passwd to change the password-this is to modify /etc/passwd the file (and this only Root have permission).
since you want to use non- Root The purpose of the user to run the program is to reduce the security risks that the program itself poses to the system, so it is very prudent to use this method.
The second method: Cap_net_bind_service
from 2.1 version started, Linux The kernel has the power concept, which makes it possible for ordinary users to do work that only superuser can do, including using ports.
Get Cap_net_bind_service even if the service program is running in a non- Root account, you can also Banding to the low end of the mouth. The method used:
# Set Cap_net_bind_service
Setcapcap_net_bind_service =+ep/path/to/application
Note :
1. This method is not suitable for all Linux Systems, the kernel is not available prior to 2.1, so you need to check whether the system to use this method is supported;
2. It is also important to note that if the program file to be run is a script, this method is no way to work properly.
The third method: portforwarding
if the program you want to run has permission to listen to other ports, then this method is available, first let the program run in non- Root account, and bound above 1024x768 port, when ensuring that it is working properly, the low-side port is forwarded through the ports, and the low-end port is transferred to the high-end port to achieve non- Root The running program binds to the low end of the port. To use this method, you can use the following methods:
# Enable the Ipforward kernel parameter.
Sysctl-wnet.ipv4.ip_forward=1
# use Iptablesrules to redirect packets
Iptables-f-T NAT
Iptables-t nat-aprerouting-p TCP--dport 80-j DNAT--to:8088
The first step is to use Sysctl make sure to enable IP FORWARD function (this feature is Red Hat/centos default is disabled), note that the code used in the Sysctl settings are temporary, reset will be reset after reboot, if you want to save for a long time, you need to /etc/sysctl.conf in-file modifications:
# Default value IS0, need change to 1.
# net.ipv4.ip_forward= 0
Net.ipv4.ip_forward= 1
Then load the new configuration from the file
# load Newsysctl.conf
Sysctl-p/etc/sysctl.conf
# or Sysctl-p
# default Filenameis/etc/sysctl.conf
The second step is to use iptables the port to which the program is located, in the example we will the Port forwarding to 8088 .
This method can be better for our purposes, our program Root users to run and be able to provide services for low-end slogans.
Fourth Way: rinetd
This method uses port forwarding, which can map the local port to the remote port, but this feature is a bit of a chicken for our current functionality, after all we have added an additional program that could increase the risk of our system. No recommendation is made here.
Free pick upBrother LianITEducationOriginalLinuxMaintenance EngineerVideo/elaborateLinuxtutorials, more information on the official website customer service:http://www.lampbrother.net/linux/
PHP , Linux, HTML5, UI, Android and other video tutorials (Courseware + notes + video)! Contact Q2430675018
How to make Linux under the non-root user program use less than 1024 ports