Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux non-root user uses less than 1024 ports     - Linux Command Tutorial: du command to view disk space (Linux)

- Oracle database online redo logs are several methods of recovery of deleted (Database)

- ASP.NET 5 tutorial series (Server)

- Use Python to perform system commands common usage (Programming)

- System Security: Build Linux with LIDS steel castle (Linux)

- The next key to install Linux bash script PowerShell (Linux)

- Shell command line operation (Linux)

- UNIX file permissions in the "set user ID bit" (Linux)

- Linux Network Programming - raw socket programming (Programming)

- Bitmap memory footprint of computing Android memory optimization (Linux)

- RHEL7 system making use of OpenStack mirror (Linux)

- Linux basic articles of the boot process (Linux)

- HBase Application Development Review and Summary of Series (Database)

- SSH mutual trust configuration (Server)

- C ++ handling text input (Programming)

- Memcached distributed caching (Server)

- PL / SQL -> UTL_FILE use presentation package (Database)

- Install Ruby on Rails in Ubuntu 15.04 in (Linux)

- Android float ball and boot from the start (Programming)

- Linux System Getting Started Learning: Repair fatal error openssl aes h no such file or directory (Linux)

 
         
  Linux non-root user uses less than 1024 ports
     
  Add Date : 2016-05-18      
         
         
         
  Under Linux, the default port 1024 or less is to be used in order to root, other users, if will try to use error. In sometimes, we may consider a program run under the root account, but it may give Linux system security risks. How then can let the program run the non-root user can enable the external port less than 1024 of it?

The first method: SetUID

To the user's application set user ID bit enables the implementation of the program can be run with root privileges, this method allows the program to run as root under the same, but need to be very careful, this method also poses a security risk, especially when there is a security risk to the implementation of the program itself.

Methods used are:

chown root.root / path / to / application
# Use SetUID
chmod u + s / path / to / application
 
We can see in the system, / usr / bin / passwd this file, you use the SetUID, enables each system user can use passwd to change the password - which is to modify / etc / passwd file ( and this only root).

Since you want to use a non-root user to run the program, the aim is to reduce the security risk to the system to bring the program itself, and therefore, when using this method requires special caution.

The second method: CAP_NET_BIND_SERVICE

From version 2.1, Linux kernel with the ability concept, which allows ordinary users can also make only the super user to complete the work, which includes the use of the port.

Get CAP_NET_BIND_SERVICE ability, even if the service is running in a non-root account, it is possible to lower banding port. usage instructions:

# Set CAP_NET_BIND_SERVICE
setcap cap_net_bind_service = + ep / path / to / application
 
Note:

1. This method is not suitable for all Linux systems through the kernel prior to 2.1 do not provide, so you need to use this method to check where the system supports;

2. Another thing to note is that if the program file to run a script, this method is no way to work properly.

The third method: Port Forwarding

If the program is running has permission to monitor other ports, this method can be used, let the program run in a non-root account, and bound port higher than 1024, in time to ensure normal work of the port through low port forwarding, low high port to port in order to achieve a non-root programs that run bind low ports. To use this method can be used in the following manner:

# Enable the IP FORWARD kernel parameter.
sysctl -w net.ipv4.ip_forward = 1

# Use iptables rules to redirect packets
iptables -F -t nat
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to: 8088
 
The first step in using sysctl sure to enable IP FORWARD function (This feature Red Hat / CentOS is disabled by default), note, sysctl settings used in the code are temporary settings will be reset after the restart, if you want long-term preservation You need to modify in the /etc/sysctl.conf file:

# Default value is 0, need change to 1.
# Net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
 
Then load the new configuration from a file

# Load new sysctl.conf
sysctl -p /etc/sysctl.conf

# Or sysctl -p
# Default filename is /etc/sysctl.conf
 
The second step is to use iptables rules to implement port forwarding to the port where the program, we want to sample port 80 forwarding to 8088.

This method can better achieve our objective, our program can be run by a non-root user, and can provide external services to the low-end slogan.

The fourth way: RINETD

This method is also used for port forwarding, this tool can be mapped to a local port remote port, but this functionality for our current capabilities, a bit tasteless, after all, we have added an additional program, which will probably increase our the risk of the system. Not in this recommendation.
     
         
         
         
  More:      
 
- Ubuntu Gitolite management Git Server code base permissions (Server)
- Detailed Linux su command to switch users Mistakes (Linux)
- Linux System Getting Started Tutorial: Installing Brother printer in Linux (Linux)
- HDFS Hadoop Distributed File System Works (Server)
- OpenStack package problems and solutions under CentOS6 (Linux)
- Use LKM change the default linux security level (Linux)
- How to Install Redis server on CentOS 7 (Server)
- Varnish achieve page jump (Server)
- Linux Security (Linux)
- General Linux interface server parameter tuning (Server)
- Nodejs mysql pool Example (Programming)
- Android will save the picture to see the album and timely (Programming)
- Android custom title bar (Programming)
- Nginx logging client ip (Server)
- MySQL + Heartbeat + DRBD deployment architecture (Server)
- Java generate two-dimensional code by Zxing (Programming)
- Get and Post requests Comments (Linux)
- CentOS 6.5 installation and configuration Cobbler (Server)
- The basic method RHEL6 (CentOS6) used in the source package compiled RPM: Upgrade OpenSSH articles (Linux)
- Android using SVG vector graphics to create cool animation effects (Programming)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.