有没有办法让非 root 进程绑定到“特权"进程?Linux 上的端口? [英] Is there a way for non-root processes to bind to "privileged" ports on Linux?

问题描述

在我的开发箱上有这个限制是很烦人的，因为除了我之外永远不会有任何用户.

It's very annoying to have this limitation on my development box, when there won't ever be any users other than me.

我知道标准解决方法，但它们都没有完全按照我要:

I'm aware of the standard workarounds, but none of them do exactly what I want:

1. authbind(Debian 测试中的版本，1.0，仅支持 IPv4)
2. 使用 iptables REDIRECT 目标将低端口重定向到高端口(ip6tables 还没有实现nat"表，iptables 的 IPv6 版本)
3. sudo(我试图避免以 root 身份运行)
4. SELinux(或类似的).(这只是我的开发箱，我不想引入太多额外的复杂性.)

1. authbind (The version in Debian testing, 1.0, only supports IPv4)
2. Using the iptables REDIRECT target to redirect a low port to a high port (the "nat" table is not yet implemented for ip6tables, the IPv6 version of iptables)
3. sudo (Running as root is what I'm trying to avoid)
4. SELinux (or similar). (This is just my dev box, I don't want to introduce a lot of extra complexity.)

是否有一些简单的 sysctl 变量允许非 root 进程绑定到 Linux 上的特权"端口(端口小于 1024)，或者我只是运气不好?

Is there some simple sysctl variable to allow non-root processes to bind to "privileged" ports (ports less than 1024) on Linux, or am I just out of luck?

在某些情况下，您可以使用功能来做到这一点.

In some cases, you can use capabilities to do this.

推荐答案

好的，感谢指出能力系统和CAP_NET_BIND_SERVICE能力的人.如果您有最新的内核，确实可以使用它以非 root 身份启动服务但绑定低端口.简短的回答是:

Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:

setcap 'cap_net_bind_service=+ep' /path/to/program

然后在任何时候执行 program 之后，它将具有 CAP_NET_BIND_SERVICE 功能.setcap 在 debian 包 libcap2-bin 中.

And then anytime program is executed thereafter it will have the CAP_NET_BIND_SERVICE capability. setcap is in the debian package libcap2-bin.

注意事项:

1. 您至少需要一个 2.6.24 内核
2. 如果您的文件是脚本，这将不起作用.(即，使用 #! 行启动解释器).在这种情况下，据我所知，您必须将该功能应用于解释器可执行文件本身，这当然是一个安全噩梦，因为使用该解释器的任何程序都将具有该功能.我找不到任何干净、简单的方法来解决这个问题.
3. Linux 将在任何具有提升权限(如 setcap 或 suid)的program 上禁用 LD_LIBRARY_PATH.因此，如果您的 程序 使用它自己的 .../lib/，您可能需要寻找另一个选项，例如端口转发.

1. You will need at least a 2.6.24 kernel
2. This won't work if your file is a script. (ie, uses a #! line to launch an interpreter). In this case, as far I as understand, you'd have to apply the capability to the interpreter executable itself, which of course is a security nightmare, since any program using that interpreter will have the capability. I wasn't able to find any clean, easy way to work around this problem.
3. Linux will disable LD_LIBRARY_PATH on any program that has elevated privileges like setcap or suid. So if your program uses its own .../lib/, you might have to look into another option like port forwarding.

资源:

• capabilities(7) 手册页.如果您要在生产环境中使用功能，请仔细阅读本文.关于如何跨 exec() 调用继承功能，这里有一些非常棘手的细节.
• setcap 手册页
• 在 GNU/Linux 上无需 root 即可绑定 1024 以下的端口":文档首先将我指向 setcap.

• capabilities(7) man page. Read this long and hard if you're going to use capabilities in a production environment. There are some really tricky details of how capabilities are inherited across exec() calls that are detailed here.
• setcap man page
• "Bind ports below 1024 without root on GNU/Linux": The document that first pointed me towards setcap.

注意:RHEL 首次在 v6 中添加了这一点.

这篇关于有没有办法让非 root 进程绑定到“特权"进程?Linux 上的端口?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！