是否有一种方法可以将非根进程绑定到

是否有一种方法可以将非根进程绑定到

本文介绍了是否有一种方法可以将非根进程绑定到“特权"进程? Linux上的端口?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

当我之外再也没有其他用户时,在我的开发箱中设置此限制非常令人讨厌.

我知道标准变通办法,但是它们都不能完全发挥作用我想要:

  1. authbind (Debian测试版1.0,仅支持IPv4)
  2. 使用iptables REDIRECT目标将低端端口重定向到高端端口(尚未为iptables的IPv6版本ip6tables实现"nat"表)
  3. sudo(我想避免以root用户运行)
  4. SELinux(或类似版本). (这只是我的开发箱,我不想引入很多额外的复杂性.)

在Linux上是否有一些简单的sysctl变量允许非root用户进程绑定到特权"端口(端口小于1024),还是我不走运?

在某些情况下,您可以来执行此操作.

解决方案

好的,感谢那些指出功能系统和CAP_NET_BIND_SERVICE功能的人.如果您使用的是最新内核,则确实可以使用它以非root用户身份启动服务,但绑定低端口.简短的答案是您可以这样做:

setcap 'cap_net_bind_service=+ep' /path/to/program

然后在任何时候执行program之后都将具有CAP_NET_BIND_SERVICE功能. setcap在debian软件包libcap2-bin中.

现在要告诫:

  1. 您至少需要2.6.24内核
  2. 如果您的文件是脚本,则此方法将无效. (即,使用#!行启动解释器).据我所知,在这种情况下,您必须将功能应用于解释器可执行文件本身,这当然是安全的噩梦,因为使用该解释器的任何程序都将具有该功能.我找不到解决此问题的任何简单明了的方法.
  3. Linux将在具有提升的特权(例如setcapsuid)的任何program上禁用LD_LIBRARY_PATH.因此,如果您的program使用其自己的.../lib/,则可能需要考虑其他选项,例如端口转发.

资源:

注意: RHEL在v6中首次添加了此功能.

It's very annoying to have this limitation on my development box, when there won't ever be any users other than me.

I'm aware of the standard workarounds, but none of them do exactly what I want:

  1. authbind (The version in Debian testing, 1.0, only supports IPv4)
  2. Using the iptables REDIRECT target to redirect a low port to a high port (the "nat" table is not yet implemented for ip6tables, the IPv6 version of iptables)
  3. sudo (Running as root is what I'm trying to avoid)
  4. SELinux (or similar). (This is just my dev box, I don't want to introduce a lot of extra complexity.)

Is there some simple sysctl variable to allow non-root processes to bind to "privileged" ports (ports less than 1024) on Linux, or am I just out of luck?

EDIT: In some cases, you can use capabilities to do this.

解决方案

Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:

setcap 'cap_net_bind_service=+ep' /path/to/program

And then anytime program is executed thereafter it will have the CAP_NET_BIND_SERVICE capability. setcap is in the debian package libcap2-bin.

Now for the caveats:

  1. You will need at least a 2.6.24 kernel
  2. This won't work if your file is a script. (ie, uses a #! line to launch an interpreter). In this case, as far I as understand, you'd have to apply the capability to the interpreter executable itself, which of course is a security nightmare, since any program using that interpreter will have the capability. I wasn't able to find any clean, easy way to work around this problem.
  3. Linux will disable LD_LIBRARY_PATH on any program that has elevated privileges like setcap or suid. So if your program uses its own .../lib/, you might have to look into another option like port forwarding.

Resources:

Note: RHEL first added this in v6.

这篇关于是否有一种方法可以将非根进程绑定到“特权"进程? Linux上的端口?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-26 02:39