Skip to content
Newer
Older
100644 193 lines (150 sloc) 4.62 KB
d468e0d @klacke added support/docs for authbind/privbind
authored Dec 18, 2008
1
2 <erl>
3 out(A) ->
4 {ssi, "TAB.inc", "%%",[{"privbind", "choosen"}]}.
5 </erl>
6
7
8 <div id="entry">
9
92681ef @vinoski fix spelling
vinoski authored Sep 27, 2009
10 <h1>Binding to privileged ports</h1>
d468e0d @klacke added support/docs for authbind/privbind
authored Dec 18, 2008
11
12 <p>
13 A common misfeature found on UN*X operating systems is the
14 restriction that only root can bind to ports below 1024.
15 Many a dollar has been wasted on workarounds and -often- the results are
16 security holes.
17
18 </p>
19 <p>
20 Both FreeBSD and Solaris have elegant configuration options to
21 turn this feature off. On FreeBSD:
22
23 <div class="box">
24 <verbatim>
25 $ sysctl net.inet.ip.portrange.reservedhigh=0
26 </verbatim>
27 </div>
28
29 the above is best added to your /etc/sysctl.conf
30 </p>
31 <p>
32 Similarly on Solaris we can just configure away this misfeature.
33 Assuming we want to run Yaws/SSL under a non-root user "erlang" on
34 ports 80/443.
35 </p>
36 <p>
37 On Solaris we can do that easily by granting the specific right to bind
38 privileged ports <1024 (and only that) to "erlang" using:
39 </p>
40
41 <div class="box">
42 <verbatim>
43 $ /usr/sbin/usermod -K defaultpriv=basic,net_privaddr erlang
44 </verbatim>
45 </div>
46
47 <p>
48 And check the we get what we want through:
49 </p>
50
51
52 <div class="box">
53 <verbatim>
54 $ grep erlang /etc/user_attr
55 erlang::::type=normal;defaultpriv=basic,net_privaddr
56
57 </verbatim>
58 </div>
59
60
61 <p>
1407f5e @klacke docs
authored Jun 15, 2010
62 On Linux, kernels later than 2.6.24, it's possible to do:
63 </p>
64 <div class="box">
65 <verbatim>
66 $ setcap 'cap_net_bind_service=+ep' /usr/bin/erl
67 </verbatim>
68 </div>
69
70 <p>
71 The above command grants the capability of binding
72 privileged ports to /usr/bin/erl
73 <p>
74
75 <p>
76 There are a couple
77 of other options on Linux. One is to use an auxiliary program
d468e0d @klacke added support/docs for authbind/privbind
authored Dec 18, 2008
78 like authbind <em>http://packages.debian.org/stable/authbind</em>
79 or privbind <em>http://sourceforge.net/projects/privbind/</em>
80 </p>
81 <p>
82 These programs are run by root. Yaws writes its temporary
83 JIT compiled files in $HOME/.yaws and this doesn't work that
84 well with authbind/privbind. A non root user will try to
85 write in /root/.yaws. The solution to this is to set the
86 environment variable YAWSHOME. Yaws will then consider that to
87 be HOME rather that $HOME.
88 </p>
89 <p>
90 To start yaws under e.g authbind we can do:
91 </p>
92
93
94 <div class="box">
95 <verbatim>
96 $ sudo YAWSHOME=/tmp/abc privbind -u klacke /home/klacke/bin/yaws \
97 -c /home/klacke/yaws.conf -i
98
99 </verbatim>
100 </div>
101
102 <p>
103 The above command starts yaws as user <em>klacke</em> and bind
104 to ports below 1024
105 </p>
106
107 <p>
108 Yet another option is to is to install fdsrv which is a standalone
92681ef @vinoski fix spelling
vinoski authored Sep 28, 2009
109 program that has the suid bit set, binds privileged ports and passes
d468e0d @klacke added support/docs for authbind/privbind
authored Dec 18, 2008
110 the filedescriptor to yaws. I have made a package out of the jungerl
111 code that can be easily installed just through the usual cycle of
112 make && make install The code is at
113 </p>
114 <pre>
115 http://yaws.hyber.org/download/fd_server-2.3.0.tgz
116 </pre>
117 <p>
118 One major drawback with fdsrv is that it doesn't work for SSL. With
119 the case of SSL, one possible solution is to put ssltunnel in
120 front of yaws and let yaws bind to 127.0.0.1
121 </p>
122 <p>
123 All in all the fdsrv option is much worse that the authbind option.
124 </p>
125
34865d9 macosx description for privbind
Claes Wikstrom authored Apr 12, 2010
126
127 <p>
128 Here is a description on how to do this on MacOs X. It's not exactly the same,
129 since we're still binding to non privileged ports. However,
130 edit /etc/sysctl and add:
131 </p>
132
133 <pre>
134 net.inet.ip.forwarding=1
135 </pre>
136
137 <p>
138 Then with ipfw as the firewall (turn off the gui firewall in system
139 preferences and manage own rules) use the ipfw rules like these - for
140 testing on your own box use something like:
141 </p>
142
143 <pre>
144 ipfw add fwd 127.0.0.1,8080 tcp from any to 127.0.0.1 dst-port 80 in
145 ipfw add fwd 127.0.0.1,8443 tcp from any to 127.0.0.1 dst-port 443 in
146 </pre>
147
148 <p>
149 set up yaws to use 8080 and 8443 in yaws.conf and then run as some non
150 root user. When you browse to http://127.0.0.1 or https://127.0.0.1
151 you will see your pages that are actually on 8080 and 8443 internally
152 but will be forwarded via ipfw forwarding.
153 </p>
154
155
d468e0d @klacke added support/docs for authbind/privbind
authored Dec 18, 2008
156 <p>
157
158 Yet another (more complicated way) for linux users is to hack the kernel.
159 Here is a patch I did for some version of the 2.6 series kernels .. you get the idea.
160 </p>
161
162
163 <verbatim>
164 [root@lax]ipv4 > diff -c af_inet.c*
165 *** af_inet.c Wed Feb 23 23:31:35 2005
166 --- af_inet.c~ Thu Feb 17 18:13:13 2005
167 ***************
168 *** 423,434 ****
169
170 snum = ntohs(addr->sin_port);
171 err = -EACCES;
172 - #if 0
173 - /* removed by klacke */
174 if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
175 goto out;
176 - #endif
177 -
178
179 /* We keep a pair of addresses. rcv_saddr is the one
180 * used by hash lookups, and saddr is used for transmit.
181 --- 423,430 ----
182 </verbatim>
183
184
185
186
187
188 <erl>
189 out(A) -> {ssi, "END2",[],[]}.
190 </erl>
191
192
Something went wrong with that request. Please try again.