Allow specific linux user to bind to port 443

2019-08-05 08:39发布

站内问答 / Linux
529 1 6

I am in charge of setting up a JBoss web application that runs over SSL, thus should be accessible over port 443.

Of course, it can be started up by user with root privileges, but that is something I'd like to avoid. I'd like to run it by non-privileged user so I can strictly control everything this application does and give no more access than needed.

However, the problem is that non-privileged users can not bind to <1024 ports. I am aware of the reasons why this is so by design, however, this security principle does not let me to practice good security with my JBoss application.

What is the best way to solve this? I'd certainly like to avoid an ugly solution like binding to port 8443 instead.

标签: linux ssl jboss
举报
1条回答
甜甜的少女心
2楼-- · 2019-08-05 09:37

1.

Common approach to write network services that use privileged ports is:

  • start service as root;
  • create socket and bind it to privileged port;
  • drop root privileges by switching to unprivileged user:
    • use setuid(2) to drop privileges irreversibly;
    • use seteuid(2) to drop privileges but remain able to switch back to root.

2.

Common approach to allow unprivileged users to start privileged service is to set setuid bit.

After binding to privileged port, service can switch back to real user id (user that started your service) or some special user (like cron user for cron daemon).

3.

Another (linux-specific) option is to give your service CAP_NET_BIND_SERVICE capability without giving full root privileges.

This can be done directly in code using libpcap (but you still need setuid bit), or by attaching capability bit to executable, if your filesystem supports it (thus you don't need setuid bit).

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)