是否有一种方法可以将非根进程绑定到“特权"进程? Linux上的端口? [英] Is there a way for non-root processes to bind to "privileged" ports on Linux?

问题描述

当我之外再也没有其他用户时，在我的开发箱中设置此限制非常令人讨厌.

我知道标准变通办法，但是它们都不能完全发挥作用我想要:

1. authbind (Debian测试版1.0，仅支持IPv4)
2. 使用iptables REDIRECT目标将低端端口重定向到高端端口(尚未为iptables的IPv6版本ip6tables实现"nat"表)
3. sudo(我想避免以root用户运行)
4. SELinux(或类似版本). (这只是我的开发箱，我不想引入很多额外的复杂性.)

在Linux上是否有一些简单的sysctl变量允许非root用户进程绑定到特权"端口(端口小于1024)，还是我不走运?

在某些情况下，您可以解决方案

好的，感谢那些指出功能系统和CAP_NET_BIND_SERVICE功能的人.如果您使用的是最新内核，则确实可以使用它以非root用户身份启动服务，但绑定低端口.简短的答案是您可以这样做:

setcap 'cap_net_bind_service=+ep' /path/to/program

然后在任何时候执行program之后都将具有CAP_NET_BIND_SERVICE功能. setcap在debian软件包libcap2-bin中.

现在要告诫:

1. 您至少需要2.6.24内核
2. 如果您的文件是脚本，则此方法将无效. (即，使用#！行启动解释器).据我所知，在这种情况下，您必须将功能应用于解释器可执行文件本身，这当然是安全的噩梦，因为使用该解释器的任何程序都将具有该功能.我找不到解决此问题的任何简单明了的方法.
3. Linux将在具有提升的特权(例如setcap或suid)的任何program上禁用LD_LIBRARY_PATH.因此，如果您的program使用其自己的.../lib/，则可能需要考虑其他选项，例如端口转发.

资源:

• capabilities(7)手册页.如果要在生产环境中使用功能，请认真阅读本章.有关如何在exec()调用之间继承功能的方式，确实存在一些非常棘手的细节，
• setcap手册页
• 在GNU/Linux上绑定端口低于1024且没有root用户" :该文档首先将我指向setcap.

注意: RHEL在v6中首次添加了此功能.

It's very annoying to have this limitation on my development box, when there won't ever be any users other than me.

I'm aware of the standard workarounds, but none of them do exactly what I want:

1. authbind (The version in Debian testing, 1.0, only supports IPv4)
2. Using the iptables REDIRECT target to redirect a low port to a high port (the "nat" table is not yet implemented for ip6tables, the IPv6 version of iptables)
3. sudo (Running as root is what I'm trying to avoid)
4. SELinux (or similar). (This is just my dev box, I don't want to introduce a lot of extra complexity.)

Is there some simple sysctl variable to allow non-root processes to bind to "privileged" ports (ports less than 1024) on Linux, or am I just out of luck?

EDIT: In some cases, you can use capabilities to do this.

解决方案

Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:

setcap 'cap_net_bind_service=+ep' /path/to/program

And then anytime program is executed thereafter it will have the CAP_NET_BIND_SERVICE capability. setcap is in the debian package libcap2-bin.

Now for the caveats:

1. You will need at least a 2.6.24 kernel
2. This won't work if your file is a script. (ie, uses a #! line to launch an interpreter). In this case, as far I as understand, you'd have to apply the capability to the interpreter executable itself, which of course is a security nightmare, since any program using that interpreter will have the capability. I wasn't able to find any clean, easy way to work around this problem.
3. Linux will disable LD_LIBRARY_PATH on any program that has elevated privileges like setcap or suid. So if your program uses its own .../lib/, you might have to look into another option like port forwarding.

Resources:

• capabilities(7) man page. Read this long and hard if you're going to use capabilities in a production environment. There are some really tricky details of how capabilities are inherited across exec() calls that are detailed here.
• setcap man page
• "Bind ports below 1024 without root on GNU/Linux": The document that first pointed me towards setcap.

Note: RHEL first added this in v6.

这篇关于是否有一种方法可以将非根进程绑定到“特权"进程? Linux上的端口?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！