Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux non-root user uses less than 1024 ports     - 8 Git tips (Linux)

- mysqldump issue a note (Database)

- How to use the ps command to monitor progress in the implementation of Linux commands (Linux)

- Gentoo: !!! existing preserved libs problem (Linux)

- Linux maximum number of threads and limit the number of queries the current thread (Linux)

- bash login and welcome message: / etc / issue, / etc / motd (Linux)

- Linux Command Tutorial: Ubuntu apt-get command (Linux)

- Go powerful development server simple example (Server)

- Improve WordPress performance (Server)

- Oracle 10g New Features - Archive Compression (Database)

- Linux System Getting Started Tutorial: How to find the maximum memory your system supports (Linux)

- Fedora 20 Installation and Configuration (Linux)

- CentOS 6.5 minimal installation and configuration VMware tools (Linux)

- Large site architecture study notes (Server)

- Hadoop 2.5 Pseudo distribution installation (Server)

- Zypper command for SUSE Linux package management (Linux)

- NaSC using simple mathematical operations on Ubuntu and Elementary OS (Linux)

- Ubuntu 14.04 Boot Repair (Linux)

- KUbuntu / Ubuntu 14.04 (downgrade) installed SVN 1.7 (Linux)

- Install FFmpeg compiling from source in Mac OS X environment (Linux)

 
         
  Linux non-root user uses less than 1024 ports
     
  Add Date : 2016-05-18      
         
       
         
  Under Linux, the default port 1024 or less is to be used in order to root, other users, if will try to use error. In sometimes, we may consider a program run under the root account, but it may give Linux system security risks. How then can let the program run the non-root user can enable the external port less than 1024 of it?

The first method: SetUID

To the user's application set user ID bit enables the implementation of the program can be run with root privileges, this method allows the program to run as root under the same, but need to be very careful, this method also poses a security risk, especially when there is a security risk to the implementation of the program itself.

Methods used are:

chown root.root / path / to / application
# Use SetUID
chmod u + s / path / to / application
 
We can see in the system, / usr / bin / passwd this file, you use the SetUID, enables each system user can use passwd to change the password - which is to modify / etc / passwd file ( and this only root).

Since you want to use a non-root user to run the program, the aim is to reduce the security risk to the system to bring the program itself, and therefore, when using this method requires special caution.

The second method: CAP_NET_BIND_SERVICE

From version 2.1, Linux kernel with the ability concept, which allows ordinary users can also make only the super user to complete the work, which includes the use of the port.

Get CAP_NET_BIND_SERVICE ability, even if the service is running in a non-root account, it is possible to lower banding port. usage instructions:

# Set CAP_NET_BIND_SERVICE
setcap cap_net_bind_service = + ep / path / to / application
 
Note:

1. This method is not suitable for all Linux systems through the kernel prior to 2.1 do not provide, so you need to use this method to check where the system supports;

2. Another thing to note is that if the program file to run a script, this method is no way to work properly.

The third method: Port Forwarding

If the program is running has permission to monitor other ports, this method can be used, let the program run in a non-root account, and bound port higher than 1024, in time to ensure normal work of the port through low port forwarding, low high port to port in order to achieve a non-root programs that run bind low ports. To use this method can be used in the following manner:

# Enable the IP FORWARD kernel parameter.
sysctl -w net.ipv4.ip_forward = 1

# Use iptables rules to redirect packets
iptables -F -t nat
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to: 8088
 
The first step in using sysctl sure to enable IP FORWARD function (This feature Red Hat / CentOS is disabled by default), note, sysctl settings used in the code are temporary settings will be reset after the restart, if you want long-term preservation You need to modify in the /etc/sysctl.conf file:

# Default value is 0, need change to 1.
# Net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
 
Then load the new configuration from a file

# Load new sysctl.conf
sysctl -p /etc/sysctl.conf

# Or sysctl -p
# Default filename is /etc/sysctl.conf
 
The second step is to use iptables rules to implement port forwarding to the port where the program, we want to sample port 80 forwarding to 8088.

This method can better achieve our objective, our program can be run by a non-root user, and can provide external services to the low-end slogan.

The fourth way: RINETD

This method is also used for port forwarding, this tool can be mapped to a local port remote port, but this functionality for our current capabilities, a bit tasteless, after all, we have added an additional program, which will probably increase our the risk of the system. Not in this recommendation.
     
         
       
         
  More:      
 
- SSH without password (Linux)
- a virtual machine created migrated to host RHEL6.4 on Ubuntu 14.04 (Linux)
- LVM management reduces swap partition space to the root partition (Linux)
- C ++ Supplements - Virtual Function Principle (Programming)
- Security Knowledge: How to hide a backdoor PHP file tips (Linux)
- Linux three ways to set environment variables (Linux)
- Android Launcher3 Application List Modify a transparent background (Linux)
- MongoDB data replication and data slices (Database)
- How to use Android Studio development / debugging Android source code (Linux)
- ActionContext and ServletActionContext Summary (Programming)
- Python: Finding meet the conditions specified in the file directory (Programming)
- To_explore Linux system boot process (Linux)
- Linux environment variable configuration and save places (Linux)
- Java input and output common class Scanner (Programming)
- sed command (Linux)
- Use MongoDB C # MongoDB official driving operation (Database)
- Linux deploy Tutorial (Linux)
- Oracle 11g contraction table space error ORA-03297: file contains used data beyondrequested RESIZE value (Database)
- Turning off the interface eth0: error: Disconnect the device 'eth0' (Linux)
- Qt for file splitting and fusion gadgets (Programming)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.