Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux non-root user uses less than 1024 ports     - How to remove the files inside the privacy of data on Linux (Linux)

- jobs command example (Linux)

- CentOS7 install JAVA notes (Linux)

- Let you Fun Ubuntu desktop eleven weapon (Linux)

- The array of C language (Programming)

- Linux tmux tcpdump summary (Linux)

- TOAD connect DB2 error SQL1460N solve (Database)

- The Concept and Semantics of Java Memory Model (Programming)

- Is Linux the most secure operating system (Linux)

- TWiki LDAP error appears the problem is solved (Linux)

- RAID disk array Description (Linux)

- Linux environment Duplex (multi-machine) automatic mutual backup scheme (Linux)

- Bash command substitution (Programming)

- CentOS7 installation performance monitoring system (Server)

- Compression software on a simple comparison of zip and gz (Linux)

- Install JDK 1.7 + Eclipse in CentOS 6.4 in (Linux)

- Build Docker based MongoDB replication cluster environment (Database)

- Introduction Linux namespace (Linux)

- Awk include binding capacity larger than the specified size of all files directory (Linux)

- CentOS Nginx achieve 3 virtual machine load balancing (Server)

 
         
  Linux non-root user uses less than 1024 ports
     
  Add Date : 2016-05-18      
         
         
         
  Under Linux, the default port 1024 or less is to be used in order to root, other users, if will try to use error. In sometimes, we may consider a program run under the root account, but it may give Linux system security risks. How then can let the program run the non-root user can enable the external port less than 1024 of it?

The first method: SetUID

To the user's application set user ID bit enables the implementation of the program can be run with root privileges, this method allows the program to run as root under the same, but need to be very careful, this method also poses a security risk, especially when there is a security risk to the implementation of the program itself.

Methods used are:

chown root.root / path / to / application
# Use SetUID
chmod u + s / path / to / application
 
We can see in the system, / usr / bin / passwd this file, you use the SetUID, enables each system user can use passwd to change the password - which is to modify / etc / passwd file ( and this only root).

Since you want to use a non-root user to run the program, the aim is to reduce the security risk to the system to bring the program itself, and therefore, when using this method requires special caution.

The second method: CAP_NET_BIND_SERVICE

From version 2.1, Linux kernel with the ability concept, which allows ordinary users can also make only the super user to complete the work, which includes the use of the port.

Get CAP_NET_BIND_SERVICE ability, even if the service is running in a non-root account, it is possible to lower banding port. usage instructions:

# Set CAP_NET_BIND_SERVICE
setcap cap_net_bind_service = + ep / path / to / application
 
Note:

1. This method is not suitable for all Linux systems through the kernel prior to 2.1 do not provide, so you need to use this method to check where the system supports;

2. Another thing to note is that if the program file to run a script, this method is no way to work properly.

The third method: Port Forwarding

If the program is running has permission to monitor other ports, this method can be used, let the program run in a non-root account, and bound port higher than 1024, in time to ensure normal work of the port through low port forwarding, low high port to port in order to achieve a non-root programs that run bind low ports. To use this method can be used in the following manner:

# Enable the IP FORWARD kernel parameter.
sysctl -w net.ipv4.ip_forward = 1

# Use iptables rules to redirect packets
iptables -F -t nat
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to: 8088
 
The first step in using sysctl sure to enable IP FORWARD function (This feature Red Hat / CentOS is disabled by default), note, sysctl settings used in the code are temporary settings will be reset after the restart, if you want long-term preservation You need to modify in the /etc/sysctl.conf file:

# Default value is 0, need change to 1.
# Net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
 
Then load the new configuration from a file

# Load new sysctl.conf
sysctl -p /etc/sysctl.conf

# Or sysctl -p
# Default filename is /etc/sysctl.conf
 
The second step is to use iptables rules to implement port forwarding to the port where the program, we want to sample port 80 forwarding to 8088.

This method can better achieve our objective, our program can be run by a non-root user, and can provide external services to the low-end slogan.

The fourth way: RINETD

This method is also used for port forwarding, this tool can be mapped to a local port remote port, but this functionality for our current capabilities, a bit tasteless, after all, we have added an additional program, which will probably increase our the risk of the system. Not in this recommendation.
     
         
         
         
  More:      
 
- How Ubuntu Snappy Core 2 running on Raspberry Pi (Linux)
- Oracle index visible and hidden (visible / invisible) (Database)
- Delegate in C # (Programming)
- How to implement Linux host Telnet SSH password Free (Server)
- Android Studio and Git Git configuration file status (Linux)
- Manual cleaning Oracle audit records (Database)
- Zypper command for SUSE Linux package management (Linux)
- Linux platform to prevent hackers to share practical skills (Linux)
- Gentoo: startx problem appears Failed to load module (Linux)
- Computer security protection remove local and remote system log files (Linux)
- Linux system network security tools sudo Introduction (Linux)
- Ubuntu 14.04 Nvidia graphics driver installation and settings (Linux)
- After Oracle 11g dataguard failover rebuild the archive logs are not applied to be NO problem (Database)
- Ubuntu 14.04 configure JDK1.8.0_25, switchable version (Linux)
- ASP.NET 5 tutorial series (Server)
- netfilter- in kernel mode network packet operation (Linux)
- Java source implementation of the observer pattern instance (Programming)
- Java environment to build a number of issues (Linux)
- Swift notes - let you two hours to learn Swift (Programming)
- Android Service Lifecycle and usage (Programming)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.