4

I've recently found the need to elevate an app to a higher privilege level in order to bind() to a port < 1024.

I've been running it with sudo, which is fine for internal testing, but deploying it running as root is generally a very bad idea.

I've heard of setuid root, but when I looked at the source code for lighthttpd for example it shows:

#ifdef HAVE_GETUID
    if (!i_am_root && issetugid()) {
        /* we are setuid-root */

        log_error_write(srv, __FILE__, __LINE__, "s",
                "Are you nuts ? Don't apply a SUID bit to this binary");

        server_free(srv);
        return -1;
    }
#endif

What then is the generally accepted method to allow binding to a privileged port? I only need higher privilege for bind. After that it can be running as a normal user.

These are the ones I've heard of, but doesn't seem to be what most software is using which is why I'm asking this question.

  • setuid - root
  • setcap
selbie
  • 100,020
  • 15
  • 103
  • 173
hookenz
  • 36,432
  • 45
  • 177
  • 286
  • Interesting answers here: http://serverfault.com/questions/268099/bind-to-ports-less-than-1024-without-root-access – selbie Feb 19 '13 at 04:05
  • 1
    http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-1024-on-l – selbie Feb 19 '13 at 04:08

1 Answers1

2

You can assign the CAP_NET_BIND_SERVICE capability to the binary, or run as root to acquire the port and immediately drop permissions.

mmlb
  • 877
  • 10
  • 24
  • Yes it does appear that this might be the answer. Start off high and drop down rather than the other way around. Or using capabilities. I just had a play around with setuid(0) and it doesn't work on Ubuntu by default, you still have to set CAP_SETUID capabilities. So it would seem setuid is old school. Capabilities or starting high and dropping down is how it would seem apache and the like do it. – hookenz Feb 19 '13 at 04:16
  • To grant select capabilities to a specific python2 "project" (and not all python users) see this: http://stackoverflow.com/a/21895123/1724577 – duanev Feb 20 '14 at 21:39