Limiting privilege to binding reserved port
Posted May 2, 2008 15:22 UTC (Fri) by giraffedata
In reply to: Dropping root's ability to write all files
Parent article: Restricting root with per-process securebits
having a process just bind a port below
1024 without being root while doing so would be really nice as well.
That's been there since the earliest days of capabilities. It is the NET_BIND_SERVICE capability. Whenever I have a program that wants superuser privilege just so it can bind a reserved port, I invoke it from a program "capexec", which sets NET_BIND_SERVICE capability only, sets the proper uid and gid, and execs the untrusted program. (The process is superuser when it invokes capexec).
Sometimes I have to modify the untrusted program because it contains a bogus check for uid zero.
But an even better way to deal with this is not to give any privilege to the untrusted program at all -- just pass it a file descriptor for a socket already bound to the reserved port. For that, I use "socketexec" before "capexec". Socketexec creates the socket and execs capexec. Capexec drops all privileges and execs the untrusted program. I usually have to modify the program to be able to take an already bound socket. Some programs have to bind multiple times in their life and this won't work.
to post comments)