Shulou(Shulou.com)06/01 Report--

Editor to share with you how Linux non-root user programs use less than 1024 ports, I believe most people do not know much about it, so share this article for your reference. I hope you will gain a lot after reading this article. Let's learn about it together.

* methods:

SetUID

Setting user ID for a user's application in the execution bit allows the program to run with root privileges, and this method allows the program to have the same effect as running under root, but with great care, this method also poses security risks, especially if the program to be executed itself has a security risk. The method used is:

Chown root.root / path/to/application # using SetUID chmod Utility / path/to/application

We can see that under the system, files like / usr/bin/passwd use SetUID so that users of each system can use passwd to change their passwords-- this is the file to change / etc/passwd (and only root has permission for this).

Since the purpose of using non-root users to run the program is to reduce the security risk that the program itself brings to the system, this method needs to be used with special care.

The second method:

CAP_NET_BIND_SERVICE

Since 2. 1, the Linux kernel has come up with the concept of capabilities, which allows ordinary users to do tasks that only superusers can do, including using port 1.

Get the CAP_NET_BIND_SERVICE capability to banding to a low port even if the service is running under a non-root account. The method used:

# set CAP_NET_BIND_SERVICE setcap cap_net_bind_service = + ep / path/to/application

Note:

1. This method is not suitable for all Linux systems, and the kernel did not provide it before 2.1, so you need to check whether the system on which you want to use this method supports (Linux must support capacity).

two。 It is also important to note that if the program file to be run is a script, there is no way for this method to work (Script won't work).

The third method:

Port Forwarding

If the program you want to run has the right to listen on other ports, then this method can be used. First, let the program run under a non-root account and bind a port higher than 1024. When ensuring that it can work properly, forward the low port through the port and transfer the low port to the high port, so as to bind the non-root running program to the low port. To use this method, you can use the following ways:

# Enable the IP FORWARD kernel parameter. Sysctl-w net.ipv4.ip_forward=1 # Use iptables rules to redirect packets iptables-F-t nat iptables-t nat-A PREROUTING-p tcp-- dport 80-j DNAT-- to:8088

* use sysctl to ensure that IP FORWARD is enabled (this feature is disabled by default in Red Hat/CentOS). Note that the sysctl setting used in the code is temporary and will be reset after restart. If you want to save it for a long time, you need to modify it in the / etc/sysctl.conf file:

# Default value is 0, need change to 1. # net.ipv4.ip_forward = 0 net.ipv4.ip_forward = 1

Then load the new configuration from the file

# load new sysctl.conf sysctl-p / etc/sysctl.conf # or sysctl-p # default filename is / etc/sysctl.conf

The second step is to use the rules of iptables to forward the port to the port where the program is located. In this example, we will forward port 80 to 8088.

This method can better achieve our goal, our program can be run through non-root users, and can provide low-port services.

The fourth method:

RINETD2

This method also uses port forwarding, this tool can map the local port to the remote port, but this function is a bit of a chicken for our current function, after all, we have added an additional program, which may increase the risk of our system. No recommendation is made here.

The above is all the contents of the article "how Linux non-root user programs use ports less than 1024". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.