Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 194 lines (151 sloc) 4.764 kb
d468e0d @klacke added support/docs for authbind/privbind
authored
1
2 <erl>
7811247 @vinoski whitespace cleanup
vinoski authored
3 out(A) ->
d468e0d @klacke added support/docs for authbind/privbind
authored
4 {ssi, "TAB.inc", "%%",[{"privbind", "choosen"}]}.
5 </erl>
6
7
8 <div id="entry">
9
92681ef @vinoski fix spelling
vinoski authored
10 <h1>Binding to privileged ports</h1>
d468e0d @klacke added support/docs for authbind/privbind
authored
11
12 <p>
7811247 @vinoski whitespace cleanup
vinoski authored
13 A common misfeature found on UN*X operating systems is the
14 restriction that only root can bind to ports below 1024.
15 Many a dollar has been wasted on workarounds and -often- the results are
d468e0d @klacke added support/docs for authbind/privbind
authored
16 security holes.
17
18 </p>
19 <p>
20 Both FreeBSD and Solaris have elegant configuration options to
21 turn this feature off. On FreeBSD:
22
7811247 @vinoski whitespace cleanup
vinoski authored
23 <div class="box">
d468e0d @klacke added support/docs for authbind/privbind
authored
24 <verbatim>
25 $ sysctl net.inet.ip.portrange.reservedhigh=0
26 </verbatim>
27 </div>
28
7811247 @vinoski whitespace cleanup
vinoski authored
29 the above is best added to your /etc/sysctl.conf
d468e0d @klacke added support/docs for authbind/privbind
authored
30 </p>
31 <p>
32 Similarly on Solaris we can just configure away this misfeature.
7811247 @vinoski whitespace cleanup
vinoski authored
33 Assuming we want to run Yaws/SSL under a non-root user "erlang" on
d468e0d @klacke added support/docs for authbind/privbind
authored
34 ports 80/443.
35 </p>
36 <p>
7811247 @vinoski whitespace cleanup
vinoski authored
37 On Solaris we can do that easily by granting the specific right to bind
d468e0d @klacke added support/docs for authbind/privbind
authored
38 privileged ports <1024 (and only that) to "erlang" using:
39 </p>
40
7811247 @vinoski whitespace cleanup
vinoski authored
41 <div class="box">
d468e0d @klacke added support/docs for authbind/privbind
authored
42 <verbatim>
43 $ /usr/sbin/usermod -K defaultpriv=basic,net_privaddr erlang
44 </verbatim>
45 </div>
46
47 <p>
48 And check the we get what we want through:
49 </p>
50
51
7811247 @vinoski whitespace cleanup
vinoski authored
52 <div class="box">
d468e0d @klacke added support/docs for authbind/privbind
authored
53 <verbatim>
54 $ grep erlang /etc/user_attr
55 erlang::::type=normal;defaultpriv=basic,net_privaddr
56
57 </verbatim>
58 </div>
59
60
61 <p>
1407f5e @klacke docs
authored
62 On Linux, kernels later than 2.6.24, it's possible to do:
63 </p>
7811247 @vinoski whitespace cleanup
vinoski authored
64 <div class="box">
1407f5e @klacke docs
authored
65 <verbatim>
144ac13 @klacke docs
authored
66 $ setcap 'cap_net_bind_service=+ep' /usr/lib/erlang/erts-5.7.4/bin/beam
1407f5e @klacke docs
authored
67 </verbatim>
68 </div>
69
70 <p>
7811247 @vinoski whitespace cleanup
vinoski authored
71 The above command grants the capability of binding
144ac13 @klacke docs
authored
72 privileged ports to beam. Note, you have to grant the priviliges to the
73 actual exectuable you are using.
1407f5e @klacke docs
authored
74 <p>
75
76 <p>
77 There are a couple
78 of other options on Linux. One is to use an auxiliary program
d468e0d @klacke added support/docs for authbind/privbind
authored
79 like authbind <em>http://packages.debian.org/stable/authbind</em>
80 or privbind <em>http://sourceforge.net/projects/privbind/</em>
81 </p>
82 <p>
7811247 @vinoski whitespace cleanup
vinoski authored
83 These programs are run by root. Yaws writes its temporary
d468e0d @klacke added support/docs for authbind/privbind
authored
84 JIT compiled files in $HOME/.yaws and this doesn't work that
85 well with authbind/privbind. A non root user will try to
86 write in /root/.yaws. The solution to this is to set the
87 environment variable YAWSHOME. Yaws will then consider that to
88 be HOME rather that $HOME.
89 </p>
90 <p>
91 To start yaws under e.g authbind we can do:
92 </p>
93
94
7811247 @vinoski whitespace cleanup
vinoski authored
95 <div class="box">
d468e0d @klacke added support/docs for authbind/privbind
authored
96 <verbatim>
97 $ sudo YAWSHOME=/tmp/abc privbind -u klacke /home/klacke/bin/yaws \
98 -c /home/klacke/yaws.conf -i
99
100 </verbatim>
101 </div>
102
103 <p>
104 The above command starts yaws as user <em>klacke</em> and bind
105 to ports below 1024
106 </p>
107
108 <p>
7811247 @vinoski whitespace cleanup
vinoski authored
109 Yet another option is to is to install fdsrv which is a standalone
110 program that has the suid bit set, binds privileged ports and passes
111 the filedescriptor to yaws. I have made a package out of the jungerl
112 code that can be easily installed just through the usual cycle of
d468e0d @klacke added support/docs for authbind/privbind
authored
113 make && make install The code is at
114 </p>
115 <pre>
116 http://yaws.hyber.org/download/fd_server-2.3.0.tgz
117 </pre>
118 <p>
7811247 @vinoski whitespace cleanup
vinoski authored
119 One major drawback with fdsrv is that it doesn't work for SSL. With
120 the case of SSL, one possible solution is to put ssltunnel in
d468e0d @klacke added support/docs for authbind/privbind
authored
121 front of yaws and let yaws bind to 127.0.0.1
122 </p>
123 <p>
124 All in all the fdsrv option is much worse that the authbind option.
125 </p>
126
34865d9 macosx description for privbind
Claes Wikstrom authored
127
128 <p>
129 Here is a description on how to do this on MacOs X. It's not exactly the same,
7811247 @vinoski whitespace cleanup
vinoski authored
130 since we're still binding to non privileged ports. However,
34865d9 macosx description for privbind
Claes Wikstrom authored
131 edit /etc/sysctl and add:
132 </p>
133
134 <pre>
135 net.inet.ip.forwarding=1
136 </pre>
137
138 <p>
139 Then with ipfw as the firewall (turn off the gui firewall in system
140 preferences and manage own rules) use the ipfw rules like these - for
141 testing on your own box use something like:
142 </p>
143
144 <pre>
145 ipfw add fwd 127.0.0.1,8080 tcp from any to 127.0.0.1 dst-port 80 in
146 ipfw add fwd 127.0.0.1,8443 tcp from any to 127.0.0.1 dst-port 443 in
147 </pre>
148
149 <p>
150 set up yaws to use 8080 and 8443 in yaws.conf and then run as some non
151 root user. When you browse to http://127.0.0.1 or https://127.0.0.1
152 you will see your pages that are actually on 8080 and 8443 internally
153 but will be forwarded via ipfw forwarding.
154 </p>
155
156
d468e0d @klacke added support/docs for authbind/privbind
authored
157 <p>
158
159 Yet another (more complicated way) for linux users is to hack the kernel.
160 Here is a patch I did for some version of the 2.6 series kernels .. you get the idea.
161 </p>
162
163
164 <verbatim>
165 [root@lax]ipv4 > diff -c af_inet.c*
166 *** af_inet.c Wed Feb 23 23:31:35 2005
167 --- af_inet.c~ Thu Feb 17 18:13:13 2005
168 ***************
169 *** 423,434 ****
7811247 @vinoski whitespace cleanup
vinoski authored
170
d468e0d @klacke added support/docs for authbind/privbind
authored
171 snum = ntohs(addr->sin_port);
172 err = -EACCES;
173 - #if 0
174 - /* removed by klacke */
175 if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
176 goto out;
177 - #endif
7811247 @vinoski whitespace cleanup
vinoski authored
178 -
179
d468e0d @klacke added support/docs for authbind/privbind
authored
180 /* We keep a pair of addresses. rcv_saddr is the one
181 * used by hash lookups, and saddr is used for transmit.
182 --- 423,430 ----
183 </verbatim>
184
185
186
187
188
189 <erl>
190 out(A) -> {ssi, "END2",[],[]}.
191 </erl>
192
193
Something went wrong with that request. Please try again.