Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux non-root user uses less than 1024 ports     - shell script: MySQL startup script simple (Database)

- Installation Elementary OS Freya to do some settings (Linux)

- To install Google Chrome browser under Ubuntu 14.04 LTS (Linux)

- How to use the DM-Crypt encryption Linux File System (Linux)

- Ubuntu 14.10 installation SecureCRT 7.3 (Linux)

- ARM platform compiler installation Golang (Linux)

- In Spring AOP example explanation (Programming)

- Implement firewall function on a closed Linux machine (Linux)

- To install Gitolite in Ubuntu / Fedora / CentOS (Linux)

- 5 tips to improve your Linux desktop security (Linux)

- Ubuntu 12.04 installation instructions under GAMIT10.40 (Linux)

- Linux process management related content (Linux)

- Linux System Getting Started Learning: Disable Ubuntu Apport internal error reporting procedures (Linux)

- mysqldump issue a note (Database)

- Ubuntu resolve sudo: source: command not found error (Linux)

- SSH without password (Linux)

- CentOS 6.4 install and configure Squid Proxy Server (Linux)

- Installation GitLab appears ruby_block supervise_redis_sleep action run (Linux)

- CentOS Set the Mono environment variable (Server)

- Systemd on RHEL7 (Linux)

 
         
  Linux non-root user uses less than 1024 ports
     
  Add Date : 2016-05-18      
         
       
         
  Under Linux, the default port 1024 or less is to be used in order to root, other users, if will try to use error. In sometimes, we may consider a program run under the root account, but it may give Linux system security risks. How then can let the program run the non-root user can enable the external port less than 1024 of it?

The first method: SetUID

To the user's application set user ID bit enables the implementation of the program can be run with root privileges, this method allows the program to run as root under the same, but need to be very careful, this method also poses a security risk, especially when there is a security risk to the implementation of the program itself.

Methods used are:

chown root.root / path / to / application
# Use SetUID
chmod u + s / path / to / application
 
We can see in the system, / usr / bin / passwd this file, you use the SetUID, enables each system user can use passwd to change the password - which is to modify / etc / passwd file ( and this only root).

Since you want to use a non-root user to run the program, the aim is to reduce the security risk to the system to bring the program itself, and therefore, when using this method requires special caution.

The second method: CAP_NET_BIND_SERVICE

From version 2.1, Linux kernel with the ability concept, which allows ordinary users can also make only the super user to complete the work, which includes the use of the port.

Get CAP_NET_BIND_SERVICE ability, even if the service is running in a non-root account, it is possible to lower banding port. usage instructions:

# Set CAP_NET_BIND_SERVICE
setcap cap_net_bind_service = + ep / path / to / application
 
Note:

1. This method is not suitable for all Linux systems through the kernel prior to 2.1 do not provide, so you need to use this method to check where the system supports;

2. Another thing to note is that if the program file to run a script, this method is no way to work properly.

The third method: Port Forwarding

If the program is running has permission to monitor other ports, this method can be used, let the program run in a non-root account, and bound port higher than 1024, in time to ensure normal work of the port through low port forwarding, low high port to port in order to achieve a non-root programs that run bind low ports. To use this method can be used in the following manner:

# Enable the IP FORWARD kernel parameter.
sysctl -w net.ipv4.ip_forward = 1

# Use iptables rules to redirect packets
iptables -F -t nat
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to: 8088
 
The first step in using sysctl sure to enable IP FORWARD function (This feature Red Hat / CentOS is disabled by default), note, sysctl settings used in the code are temporary settings will be reset after the restart, if you want long-term preservation You need to modify in the /etc/sysctl.conf file:

# Default value is 0, need change to 1.
# Net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
 
Then load the new configuration from a file

# Load new sysctl.conf
sysctl -p /etc/sysctl.conf

# Or sysctl -p
# Default filename is /etc/sysctl.conf
 
The second step is to use iptables rules to implement port forwarding to the port where the program, we want to sample port 80 forwarding to 8088.

This method can better achieve our objective, our program can be run by a non-root user, and can provide external services to the low-end slogan.

The fourth way: RINETD

This method is also used for port forwarding, this tool can be mapped to a local port remote port, but this functionality for our current capabilities, a bit tasteless, after all, we have added an additional program, which will probably increase our the risk of the system. Not in this recommendation.
     
         
       
         
  More:      
 
- Common DDOS attacks (Linux)
- Kibana Apache Password Authentication (Server)
- Linux partition command (Linux)
- Getting case of Python Hello World (Programming)
- Install multiple Linux distributions and Fedora 21 first experience on the same hard disk (Linux)
- Install Ruby on Rails in Ubuntu 15.04 in (Linux)
- The basic method RHEL6 (CentOS6) used in the source package compiled RPM: Upgrade OpenSSH articles (Linux)
- MySQL root password reset under CentOS (Database)
- RHEL 6.6 install GNOME desktop environment (Linux)
- How to recover deleted files in Linux systems (Linux)
- C # mobile side and PC-side data exchange (Database)
- AFNetworking + Nginx HTTPS communication server + (Server)
- C # socket udp broadcast (Programming)
- C ++: Postmodern systems programming language (Programming)
- vnStatSVG: traffic monitoring software vnStat (Linux)
- Binary search -Java achieve (Programming)
- Getting the Linux shell expr use (Programming)
- Generate two-dimensional code parsing code Java (Programming)
- libnet list of functions (Programming)
- Systemd on RHEL7 (Linux)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.