LWN.net Logo

User namespaces progress

User namespaces progress

Posted Jan 3, 2013 7:59 UTC (Thu) by ebiederm (subscriber, #35028)
In reply to: User namespaces progress by quotemstr
Parent article: User namespaces progress

Privileged ports keep those pesky users off of the ports where you run your servers.


(Log in to post comments)

User namespaces progress

Posted Jan 3, 2013 16:42 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

And forces you to run daemons under the freaking root user. Great improvement, yes.

User namespaces progress

Posted Jan 3, 2013 17:18 UTC (Thu) by andresfreund (subscriber, #69562) [Link]

Err, no. They can change their uid away after start without any problems. Or they can get an additional CAP_NET_BIND_SERVICE without all the rest of root's powers.

User namespaces progress

Posted Jan 3, 2013 17:21 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Ok. I have a Java application that needs to listen on port 80.

How do I do it? I've actually tried multiple ways and all of them failed.

User namespaces progress

Posted Jan 3, 2013 17:40 UTC (Thu) by man_ls (subscriber, #15091) [Link]

Have you tried setcap?
setcap 'cap_net_bind_service=+ep' /path/to/program
It worked for me but it was not Java; in your case run setcap for the java binary.

User namespaces progress

Posted Jan 3, 2013 19:15 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

And now all Java programs have this privilege. Which is not that bad, since this restriction is brain-dead in the first place. But it also breaks during updates and is totally non-transparent (NOBODY checks file caps).

You might actually notice that I have an answer in the thread you've linked: http://stackoverflow.com/a/7701793/625001 However, while it works for erlang it somehow fails for Java. Don't ask me why.

User namespaces progress

Posted Jan 3, 2013 17:44 UTC (Thu) by andresfreund (subscriber, #69562) [Link]

It depends a bit on how you want to start java, but in general you can do stuff like:
$ nc -l 234
nc: Permission denied
$ cp `which nc` /tmp/nc && sudo setcap cap_net_bind_service+ep /tmp/nc
$ /tmp/nc -l 234
^C

In many scenarios you probably will end up using something like capsh or pam-cap.

User namespaces progress

Posted Jan 3, 2013 19:18 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

By copying a binary.

Beautiful. Not.

> In many scenarios you probably will end up using something like capsh or pam-cap.
I'll gladly send you a beer if you can give me a command line that actually works. I have tried all sorts of capsh command variations, but NONE of them works.

User namespaces progress

Posted Jan 3, 2013 21:05 UTC (Thu) by andresfreund (subscriber, #69562) [Link]

> By copying a binary.
> Beautiful. Not.

I only copied the binary because I do *not* want my normal nc to have the capability to bind to root-only ports.

> In many scenarios you probably will end up using something like capsh or pam-cap.

libpam-cap is probably easier for you:
apt-get install libpam-cap
pam-auth-update (enable "capabilities management")
sensible-editor /etc/security/capability.conf
# add "cap_net_bind_service cyberax"

It should be rather similar for other distributions.

Then start a new shell as your user (*not* via sudo "su - cyberax", use sudo -u cyberax, or su - cyberax from *your* user or such, pam_rootok makes a pretty unfortunate shortcut there) and voila:
andres@alap2:~$ sudo -u andres nc -l 434
^C

User namespaces progress

Posted Jan 3, 2013 21:09 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

That's much better than setting caps for executable files, but still has the problem of non-locality. It's impossible to understand from the daemon's command line that it magically acquires additional caps.

User namespaces progress

Posted Jan 3, 2013 21:21 UTC (Thu) by andresfreund (subscriber, #69562) [Link]

Hm, I don't really see that as a problem. But anyway:

sudo /sbin/capsh --caps=cap_net_bind_service+pei == --user=andres -- -c "nc -l 434"

Yes. Ugly. But it works. (capsh is/was a demo tool)

User namespaces progress

Posted Jan 3, 2013 21:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Doesn't work with Java, just tried it on my system (it's Debian Stable).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds