[1801] in linux-security and linux-alert archive
[linux-security] Re: Configuration for binding to "secure" ports?
daemon@ATHENA.MIT.EDU (Malcolm Beattie)
Fri May 29 12:05:52 1998
Date: Fri, 29 May 1998 12:30:03 +0100 (BST)
From: Malcolm Beattie <mbeattie@sable.ox.ac.uk>
In-reply-to: <000f01bd8a94$f9ce9460$d2e84ace@admin.wgcr.org>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
Lamar Owen writes:
> I began to think -- what if there was a way to configure the kernel to
> allow a non-root program to listen on a particular "secure" port --
> then I wouldn't have to start various and sundry network daemons as
> root, just to have them seteuid to another user after acquiring the
> port.
[...]
> reasons prohibit me at this time. So, I am currently stuck at 2.0.x,
> which has no such 'capabilities' (bad pun).
I've written a "socket filesystem" for 2.0 that lets you set
user/group and permissions on ports less than 1024 simply by doing
things like
chown named /sockfs/53
chown ldap /sockfs/389
There's a small kernel patch (which changes the "check for <1024"
socket bind test to callout to a separate function) and a sockfs.o
filesystem module. You do
insmod sockfs.o
mount -t sockfs sockfs /sockfs
and then the appropriate "write" persmission bit on the (fake) file
/sockfs/n determines whether owner/group/other can bind to port n.
It's available from
ftp://ftp.ox.ac.uk/pub/linux/sockfs-a1.tar.gz
and is only 6K. It's alpha1 as its name implies and only lightly
tested but it's really very simple.
--Malcolm
--
Malcolm Beattie <mbeattie@sable.ox.ac.uk>
Unix Systems Programmer
Oxford University Computing Services
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null