ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Bind Linux Process to Well Known Web Ports When Not Root

    IT Discussion
    linux centos rhel ubuntu fedora arch suse mint
    2
    2
    707
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      If you have ever tried to run a user space program on Linux with a port below 1024 you know that this is a security problem and you are not allowed to do so. There is a simple fix for this, but it is not well known.

      Once you know the binary that you will be using to open the low number (well known) port you can use this command to grant it permission to use these ports without otherwise compromising security.

      setcap cap_net_bind_service+ep /my/binary/file
      

      Now you can run your application. This is most commonly used for user space web applications that want to use port 80 or 443 without requiring that you run a reverse proxy in front of them.

      1 1 Reply Last reply Reply Quote 2
      • 1
        1337 @scottalanmiller
        last edited by 1337

        @scottalanmiller said in Bind Linux Process to Well Known Web Ports When Not Root:

        If you have ever tried to run a user space program on Linux with a port below 1024 you know that this is a security problem and you are not allowed to do so. There is a simple fix for this, but it is not well known.

        Once you know the binary that you will be using to open the low number (well known) port you can use this command to grant it permission to use these ports without otherwise compromising security.

        setcap cap_net_bind_service+ep /my/binary/file
        

        Now you can run your application. This is most commonly used for user space web applications that want to use port 80 or 443 without requiring that you run a reverse proxy in front of them.

        Good to know!

        I found this as an example of how to use it and also commands to remove the permission:
        https://cwiki.apache.org/confluence/display/HTTPD/NonRootPortBinding

        The setcap utility seems to be available in the libcap2-bin package on debian distros.

        I haven't checked if it's installed by default.

        1 Reply Last reply Reply Quote 1
        • 1 1337 referenced this topic on
        • scottalanmillerS scottalanmiller referenced this topic on
        • 1 / 1
        • First post
          Last post