How to make Linux under the non-root user program use less than 1024 ports

Under Linux, by default 1024 of the following ports are to be used under the root, under other users, if the attempt to use will be an error. At some point, we may consider that the program runs under the root account, but this may pose a security risk to the Linux system. How is it possible for a non-root user to enable a program that is less than 1024 open to the outside?

This article attempts to give some methods:

The first method: SetUID

Giving the user an application to set the user ID in the execution bit allows the program to run as root, which allows the program to run like Root, but requires great care, which also poses a security risk, especially if the program itself is to be executed with a security risk.

The methods used are:

Chown root.root/path/to/application

#使用SetUID

chmod u+s/path/to/application

We can see that under the system,/USR/BIN/PASSWD this kind of file, the use of setuid, so that each system can be able to users can use passwd to modify the password-this is to modify the/etc/passwd of the file (and this only root has permission).

Since you want to run the program using a non-root user, the goal is to reduce the security risks that the program itself poses to the system, so use this method with special care.

The second method: Cap_net_bind_service

Starting with version 2.1, the Linux kernel has the power concept, which allows ordinary users to do work that only superuser can do, including using ports.

Get cap_net_bind_service capability, even if the service program runs under a non-root account, it can be banding to a low-end port. The method used:

# set Cap_net_bind_service

Setcap Cap_net_bind_service =+ep/path/to/application

Note:

1. This method is not suitable for all Linux systems, the kernel is not provided before 2.1, so you need to check whether the system to use this method is supported;

2. It is also important to note that if the program file to be run is a script, this method is no way to work properly.

The third method: Port Forwarding

If the program you want to run has permission to listen to other ports, then this method can be used, first let the program run under the non-root account, and bind more than 1024 of the port, when ensuring that the normal operation, the low-end port forwarding, the low port to the high port, This enables non-root-run programs to bind to low-end ports. To use this method, you can use the following methods:

# Enable The IP FORWARD kernel parameter.

Sysctl-w net.ipv4.ip_forward=1

# use iptables rules to redirect packets

Iptables-f-T NAT

Iptables-t nat-a prerouting-p tcp--dport 80-j DNAT--to:8088

The first step is to use SYSCTL to ensure that the IP forward feature is enabled (this feature is disabled by default in red Hat/centos), and note that the Sysctl settings used in the code are temporary settings that will be reset after reboot, and if you want to save it for a long time, you need to/etc/ sysctl.conf file changes in:

# Default value is 0, need change to 1.

# Net.ipv4.ip_forward = 0

Net.ipv4.ip_forward = 1

Then load the new configuration from the file

# Load New sysctl.conf

Sysctl-p/etc/sysctl.conf

# or Sysctl-p

# Default filename is/etc/sysctl.conf

The second step is to use the Iptables rule to implement port forwarding to the port where the program is located, and in the example we will forward port 80 to 8088.

This method can be better to achieve our goal, our program can be run by non-root users, and can provide a low-end service to the external slogan.

Fourth Way: rinetd

This method uses port forwarding, which can map the local port to the remote port, but this feature is a bit of a chicken for our current functionality, after all we have added an additional program that could increase the risk of our system. No recommendation is made here.

Free pick up brother even it education original Linux OPS engineer video/Detailed Linux tutorials, details Inquiry official website customer Service: http://www.itxdl.cn/linux/

PHP, Linux, HTML5, UI, Android and other video tutorials (Courseware + notes + video)! Contact Q2430675018

How to make Linux under the non-root user program use less than 1024 ports