1

I am in charge of setting up a JBoss web application that runs over SSL, thus should be accessible over port 443.

Of course, it can be started up by user with root privileges, but that is something I'd like to avoid. I'd like to run it by non-privileged user so I can strictly control everything this application does and give no more access than needed.

However, the problem is that non-privileged users can not bind to <1024 ports. I am aware of the reasons why this is so by design, however, this security principle does not let me to practice good security with my JBoss application.

What is the best way to solve this? I'd certainly like to avoid an ugly solution like binding to port 8443 instead.

Passiday
  • 7,573
  • 8
  • 42
  • 61
  • Should be on [unix.se] or [sf] IMHO. – sebix Jul 25 '15 at 09:35
  • Thanks for the suggestion, I posted now in the Unix & Linux forum. – Passiday Jul 25 '15 at 21:29
  • I think it's not strictly admin question, since common approach to solve this requires some coding and changes in application design :) – gavv Jul 31 '15 at 10:38
  • @gavv Usually it's just a single command - `setcap 'cap_net_bind_service=+ep' /path/to/program`, rather than any coding. See https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux – mikemaccana Jan 26 '23 at 09:38
  • Does this answer your question? [Is there a way for non-root processes to bind to "privileged" ports on Linux?](https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux) – mikemaccana Jan 26 '23 at 09:38
  • @mikemaccana thanks for the link, I went the authbind way. Quite a long time ago, indeed. – Passiday Feb 03 '23 at 16:42
  • @Passiday It's not so much for you, but to identify whether it's the same question (or the same answer) for other people, to avoid duplicates on Stack Overflow. – mikemaccana Feb 03 '23 at 16:57
  • 1
    @mikemaccana yes, it's the same question. – Passiday Feb 05 '23 at 19:03

1 Answers1

0

1.

Common approach to write network services that use privileged ports is:

  • start service as root;
  • create socket and bind it to privileged port;
  • drop root privileges by switching to unprivileged user:
    • use setuid(2) to drop privileges irreversibly;
    • use seteuid(2) to drop privileges but remain able to switch back to root.

2.

Common approach to allow unprivileged users to start privileged service is to set setuid bit.

After binding to privileged port, service can switch back to real user id (user that started your service) or some special user (like cron user for cron daemon).

3.

Another (linux-specific) option is to give your service CAP_NET_BIND_SERVICE capability without giving full root privileges.

This can be done directly in code using libpcap (but you still need setuid bit), or by attaching capability bit to executable, if your filesystem supports it (thus you don't need setuid bit).

gavv
  • 4,649
  • 1
  • 23
  • 40
  • I went the authbind way, it felt simpler and more natural. – Passiday Jul 31 '15 at 11:23
  • I agree that it is simpler, but in my opinion it is a workaround for poorly designed programs. So I would not recommend it for "real" applications. See "BUGS" section in authbind manual page. – gavv Jul 31 '15 at 11:29