| |||||||||||||
User namespaces progressUser namespaces progressPosted Jan 3, 2013 7:59 UTC (Thu) by ebiederm (subscriber, #35028)In reply to: User namespaces progress by quotemstr Parent article: User namespaces progress
Privileged ports keep those pesky users off of the ports where you run your servers.
(Log in to post comments)
User namespaces progress Posted Jan 3, 2013 16:42 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
And forces you to run daemons under the freaking root user. Great improvement, yes.
User namespaces progress Posted Jan 3, 2013 17:18 UTC (Thu) by andresfreund (subscriber, #69562) [Link]
Err, no. They can change their uid away after start without any problems. Or they can get an additional CAP_NET_BIND_SERVICE without all the rest of root's powers.
User namespaces progress Posted Jan 3, 2013 17:21 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Ok. I have a Java application that needs to listen on port 80.
How do I do it? I've actually tried multiple ways and all of them failed.
User namespaces progress Posted Jan 3, 2013 17:40 UTC (Thu) by man_ls (subscriber, #15091) [Link] Have you tried setcap?setcap 'cap_net_bind_service=+ep' /path/to/programIt worked for me but it was not Java; in your case run setcap for the java binary.
User namespaces progress Posted Jan 3, 2013 19:15 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
And now all Java programs have this privilege. Which is not that bad, since this restriction is brain-dead in the first place. But it also breaks during updates and is totally non-transparent (NOBODY checks file caps).
You might actually notice that I have an answer in the thread you've linked: http://stackoverflow.com/a/7701793/625001 However, while it works for erlang it somehow fails for Java. Don't ask me why.
User namespaces progress Posted Jan 3, 2013 17:44 UTC (Thu) by andresfreund (subscriber, #69562) [Link]
It depends a bit on how you want to start java, but in general you can do stuff like:
$ nc -l 234 nc: Permission denied $ cp `which nc` /tmp/nc && sudo setcap cap_net_bind_service+ep /tmp/nc $ /tmp/nc -l 234 ^C
In many scenarios you probably will end up using something like capsh or pam-cap.
User namespaces progress Posted Jan 3, 2013 19:18 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
By copying a binary.
Beautiful. Not.
> In many scenarios you probably will end up using something like capsh or pam-cap.
User namespaces progress Posted Jan 3, 2013 21:05 UTC (Thu) by andresfreund (subscriber, #69562) [Link]
> By copying a binary.
> Beautiful. Not.
I only copied the binary because I do *not* want my normal nc to have the capability to bind to root-only ports.
> In many scenarios you probably will end up using something like capsh or pam-cap.
libpam-cap is probably easier for you:
It should be rather similar for other distributions.
Then start a new shell as your user (*not* via sudo "su - cyberax", use sudo -u cyberax, or su - cyberax from *your* user or such, pam_rootok makes a pretty unfortunate shortcut there) and voila:
User namespaces progress Posted Jan 3, 2013 21:09 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
That's much better than setting caps for executable files, but still has the problem of non-locality. It's impossible to understand from the daemon's command line that it magically acquires additional caps.
User namespaces progress Posted Jan 3, 2013 21:21 UTC (Thu) by andresfreund (subscriber, #69562) [Link]
Hm, I don't really see that as a problem. But anyway:
sudo /sbin/capsh --caps=cap_net_bind_service+pei == --user=andres -- -c "nc -l 434"
Yes. Ugly. But it works. (capsh is/was a demo tool)
User namespaces progress Posted Jan 3, 2013 21:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Doesn't work with Java, just tried it on my system (it's Debian Stable).
|
|||||||||||||