[linux] Is there a way for non-root processes to bind to "privileged" ports on Linux?

Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:

setcap 'cap_net_bind_service=+ep' /path/to/program

And then anytime program is executed thereafter it will have the CAP_NET_BIND_SERVICE capability. setcap is in the debian package libcap2-bin.

Now for the caveats:

  1. You will need at least a 2.6.24 kernel
  2. This won't work if your file is a script. (ie, uses a #! line to launch an interpreter). In this case, as far I as understand, you'd have to apply the capability to the interpreter executable itself, which of course is a security nightmare, since any program using that interpreter will have the capability. I wasn't able to find any clean, easy way to work around this problem.
  3. Linux will disable LD_LIBRARY_PATH on any program that has elevated privileges like setcap or suid. So if your program uses its own .../lib/, you might have to look into another option like port forwarding.

Resources:

Note: RHEL first added this in v6.

Examples related to linux

grep's at sign caught as whitespace How to prevent Google Colab from disconnecting? "E: Unable to locate package python-pip" on Ubuntu 18.04 How to upgrade Python version to 3.7? Install Qt on Ubuntu Get first line of a shell command's output Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running? Run bash command on jenkins pipeline How to uninstall an older PHP version from centOS7 How to update-alternatives to Python 3 without breaking apt?

Examples related to root

SQLSTATE[HY000] [1698] Access denied for user 'root'@'localhost' Connect to docker container as user other than root MySQL user DB does not have password columns - Installing MySQL on OSX vagrant login as root by default adb shell su works but adb root does not Android: adbd cannot run as root in production builds How to get domain root url in Laravel 4? Import Certificate to Trusted Root but not to Personal [Command Line] How to check if running as root in a bash script Access Denied for User 'root'@'localhost' (using password: YES) - No Privileges?

Examples related to ipv6

What is IPV6 for localhost and 0.0.0.0? Make docker use IPv4 for port binding How to set java.net.preferIPv4Stack=true at runtime? what does "dead beef" mean? How can I convert IPV6 address to IPV4 address? Get IPv4 addresses from Dns.GetHostEntry() Is there a way for non-root processes to bind to "privileged" ports on Linux? How do ports work with IPv6? Maximum length of the textual representation of an IPv6 address? Regular expression that matches valid IPv6 addresses

Examples related to iptables

Connection refused to MongoDB errno 111 How can I use iptables on centos 7? Adding a rule in iptables in debian to open a new port iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) iptables LOG and DROP in one rule How can I remove specific rules from iptables? iptables block access to port 8000 except from IP address Iptables setting multiple multiports in one rule Is there a way for non-root processes to bind to "privileged" ports on Linux?

Examples related to linux-capabilities

Is there a way for non-root processes to bind to "privileged" ports on Linux?