Under Linux, the default port 1024 or less is to be used in order to root, other users, if will try to use error. In sometimes, we may consider a program run under the root account, but it may give Linux system security risks. How then can let the program run the non-root user can enable the external port less than 1024 of it?
The first method: SetUID
To the user's application set user ID bit enables the implementation of the program can be run with root privileges, this method allows the program to run as root under the same, but need to be very careful, this method also poses a security risk, especially when there is a security risk to the implementation of the program itself.
Methods used are:
chown root.root / path / to / application
# Use SetUID
chmod u + s / path / to / application
We can see in the system, / usr / bin / passwd this file, you use the SetUID, enables each system user can use passwd to change the password - which is to modify / etc / passwd file ( and this only root).
Since you want to use a non-root user to run the program, the aim is to reduce the security risk to the system to bring the program itself, and therefore, when using this method requires special caution.
The second method: CAP_NET_BIND_SERVICE
From version 2.1, Linux kernel with the ability concept, which allows ordinary users can also make only the super user to complete the work, which includes the use of the port.
Get CAP_NET_BIND_SERVICE ability, even if the service is running in a non-root account, it is possible to lower banding port. usage instructions:
# Set CAP_NET_BIND_SERVICE
setcap cap_net_bind_service = + ep / path / to / application
1. This method is not suitable for all Linux systems through the kernel prior to 2.1 do not provide, so you need to use this method to check where the system supports;
2. Another thing to note is that if the program file to run a script, this method is no way to work properly.
The third method: Port Forwarding
If the program is running has permission to monitor other ports, this method can be used, let the program run in a non-root account, and bound port higher than 1024, in time to ensure normal work of the port through low port forwarding, low high port to port in order to achieve a non-root programs that run bind low ports. To use this method can be used in the following manner:
# Enable the IP FORWARD kernel parameter.
sysctl -w net.ipv4.ip_forward = 1
# Use iptables rules to redirect packets
iptables -F -t nat
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to: 8088
The first step in using sysctl sure to enable IP FORWARD function (This feature Red Hat / CentOS is disabled by default), note, sysctl settings used in the code are temporary settings will be reset after the restart, if you want long-term preservation You need to modify in the /etc/sysctl.conf file:
# Default value is 0, need change to 1.
# Net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
Then load the new configuration from a file
# Load new sysctl.conf
sysctl -p /etc/sysctl.conf
# Or sysctl -p
# Default filename is /etc/sysctl.conf
The second step is to use iptables rules to implement port forwarding to the port where the program, we want to sample port 80 forwarding to 8088.
This method can better achieve our objective, our program can be run by a non-root user, and can provide external services to the low-end slogan.
The fourth way: RINETD
This method is also used for port forwarding, this tool can be mapped to a local port remote port, but this functionality for our current capabilities, a bit tasteless, after all, we have added an additional program, which will probably increase our the risk of the system. Not in this recommendation.