On Tue, 20 Nov 2007 11:14:59 +0100
Mikael Ståldal wrote:

> In Linux you have to be root in order to listen to TCP or UDP ports below1024 (the
> well-known ports). As far as I know, this limit is hardcoded in the kernel.
>
> In some cases, this limit do more harm than good, so it would be nice to be able to adjust it.

The proper way to enable port <= 1024 binding support is adding CAP_NET_BIND_SERVICE to the process capability set, e.g. by using file-system capabilities.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.5 (GNU/Linux)

iD8DBQFHQvTcBlhXA0ALOYMRAmX5AJ9OFhYGm/T56Ede5UTtf35MQrlZvACcCFdA
lm5ZDCeiKekWZQZgBfaz/ao=
=RgpL
-----END PGP SIGNATURE-----

On Tue, 20 Nov 2007 17:09:35 +0100
Mikael Ståldal wrote:

> Hello.
>
> > The proper way to enable port <= 1024 binding support is adding CAP_NET_BIND_SERVICE
> > to the process capability set, e.g. by using file-system capabilities.
>
> Is file-system capabilites part of the stable official Linux kernel? Fromwhich version?
> How do I use it?
>

They were recently added in 2.6.24-rc1.
(mostly commit b53767719b6cd8789392ea3e7e2eb7b8906898f0)
The patch should be easy to backport, I've seen it in various
distro kernels.

According to the commit, documentation is at
http://www.friedhoff.org/fscaps.html

Some programs already have capability support - they
drop all permissions they don't need.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.5 (GNU/Linux)

iD8DBQFHQzQgBlhXA0ALOYMRAjAYAJ4s7rI+ESD8zMq1DILy+L iH2B920ACfUX0T
rAVi4dMlNM2mJmtAtnwNMeA=
=sWnj
-----END PGP SIGNATURE-----

Radoslaw Szkodzinski (AstralStorm) skrev:
>> In Linux you have to be root in order to listen to TCP or UDP ports below 1024 (the
>> well-known ports). As far as I know, this limit is hardcoded in the kernel.
>
> The proper way to enable port <= 1024 binding support is adding CAP_NET_BIND_SERVICE to
> the process capability set, e.g. by using file-system capabilities.

And how do you protect ports >1024 from any user binding to them?

Isn't the 1024 limit somewhat obsolete and arbitrary today?

/Mikael

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Mikael Ståldal wrote:
> And how do you protect ports >1024 from any user binding to them?
>
> Isn't the 1024 limit somewhat obsolete and arbitrary today?

No, it is not obsolete, yes, it always was arbitrary.

You prevent users from binding to those ports by only giving
applications that need to the capability, and only letting the users
that need to have execute permission to those programs.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Phillip Susi skrev:
> Mikael Ståldal wrote:
>> And how do you protect ports >1024 from any user binding to them?
>
> You prevent users from binding to those ports by only giving
> applications that need to the capability, and only letting the users
> that need to have execute permission to those programs.

I think you misunderstood my question.

How do you protect ports greater than 1024 from any user binding to them? E.g. port 1080.

/Mikael

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/