Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Okay, thanks to the people who pointed out the capabilities system and <code>CAP_NET_BIND_SERVICE</code> capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:</p> <pre><code>setcap 'cap_net_bind_service=+ep' /path/to/program </code></pre> <p>And then anytime <code>program</code> is executed thereafter it will have the <code>CAP_NET_BIND_SERVICE</code> capability. <code>setcap</code> is in the debian package <code>libcap2-bin</code>.</p> <p>Now for the caveats:</p> <ol> <li>You will need at least a 2.6.24 kernel</li> <li>This won't work if your file is a script. (ie, uses a #! line to launch an interpreter). In this case, as far I as understand, you'd have to apply the capability to the interpreter executable itself, which of course is a security nightmare, since any program using that interpreter will have the capability. I wasn't able to find any clean, easy way to work around this problem.</li> <li>Linux will disable LD_LIBRARY_PATH on any <code>program</code> that has elevated privileges like <code>setcap</code> or <code>suid</code>. So if your <code>program</code> uses its own <code>.../lib/</code>, you might have to look into another option like port forwarding.</li> </ol> <p>Resources:</p> <ul> <li><a href="http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html" rel="noreferrer">capabilities(7) man page</a>. Read this long and hard if you're going to use capabilities in a production environment. There are some really tricky details of how capabilities are inherited across exec() calls that are detailed here.</li> <li><a href="http://man7.org/linux/man-pages/man8/setcap.8.html" rel="noreferrer">setcap man page</a></li> <li><a href="http://www.wensley.org.uk/info#setpcaps" rel="noreferrer">"Bind ports below 1024 without root on GNU/Linux"</a>: The document that first pointed me towards <code>setcap</code>.</li> </ul> <p>Note: <a href="http://www.redhat.com/promo/summit/2010/presentations/summit/whats-next/wed/sgrubb-2-rhel6-security/RHEL6-Security-Overview-2010-Final.pdf" rel="noreferrer">RHEL first added this in v6</a>. </p>
    singulars
    1. This table or related slice is empty.
    1. POIs there a way for non-root processes to bind to "privileged" ports on Linux?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USCristian Ciupitu
    1. USJason Creighton
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POIs there a way for non-root processes to bind to "privileged" ports on Linux?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COI think you should add a bit of discussion of the setuid and inetd/xinetd options, and make this the accepted answer.
      singulars
      1. PO
      1. USPaul Tomblin
    2. COAs for #2, I did find a way to deal with it. The interperter is a CAP-loader that is suid-root and interprets the CAP-flags on its target file. Clean, effective, but hard.
      singulars
      1. PO
      1. USJoshua
    3. COPartial workaround for scripts: create a copy of the interpreter (e.g. bash), give it the capablities but restrict access to the copy to those users who need it. Of course, those users must be trusted, but they could change the script anyway.
      singulars
      1. PO
      1. USErich Kitzmueller
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload