You are not logged in.

#1 2018-12-01 14:36:09

mpboom
Member
From: The Netherlands
Registered: 2018-12-01
Posts: 4

[SOLVED] Disable the 1024 port limit

Hi,

On Linux (and ArchLinux too) processes can't listen to any ports below 1024 unless approved by a system administrator. In this thread: https://stackoverflow.com/questions/413 … s-on-linux there are mentioned a couple of ways on how to disable this for a specific program, but I was wondering how to disable this for the entire system and all users. Did anyone ever do this, or does anyone have an idea on how to completely disable this limit?

Last edited by mpboom (2018-12-01 15:07:51)

Offline

#2 2018-12-01 14:41:06

amish
Member
Registered: 2014-05-10
Posts: 470

Re: [SOLVED] Disable the 1024 port limit

I have never tried this but see "ip_unprivileged_port_start" under:

https://www.kernel.org/doc/Documentatio … sysctl.txt

ip_unprivileged_port_start - INTEGER
    This is a per-namespace sysctl.  It defines the first
    unprivileged port in the network namespace.  Privileged ports
    require root or CAP_NET_BIND_SERVICE in order to bind to them.
    To disable all privileged ports, set this to 0.  It may not
    overlap with the ip_local_reserved_ports range.

    Default: 1024

So try this:

sysctl net.ipv4.ip_unprivileged_port_start=0

Last edited by amish (2018-12-01 14:45:06)

Offline

#3 2018-12-01 15:08:18

mpboom
Member
From: The Netherlands
Registered: 2018-12-01
Posts: 4

Re: [SOLVED] Disable the 1024 port limit

Thank you so much! This is exactly what I wanted!

Offline

#4 2018-12-01 16:41:13

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: [SOLVED] Disable the 1024 port limit

This is not what you want.

There is a good reason this limit exists: is an important security measure. By setting all ports as unprivileged, you permit anyone on your system to expose services on those ports. Including rogue services that may be used to attack your machine, other applications on your machine or other machines (for example by spoofing DHCP, in extension spoofing DNS, supporting DNS rebinding attacks &c.), attacks user/programs (including you) connecting to your machine (for example by exposing a fake SSH server or sending back rogue data that the other side blindly considers to be safe) and so on.

The proper methods have been shown in the forum post you have linked.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#5 2018-12-01 17:00:26

mpboom
Member
From: The Netherlands
Registered: 2018-12-01
Posts: 4

Re: [SOLVED] Disable the 1024 port limit

Thanks a lot for the heads-up! However, this is really what I need. I am using a non-shared computer and the alternative is to just log in as root (which I consider to be more unsafe than this).

Offline

#6 2018-12-01 17:10:39

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: [SOLVED] Disable the 1024 port limit

That's not the only alternative.  The process in question just needs root acess to bind the port (after which it can immediately drop privileges).  What is the process in question and why does it need a low numbered port?

Last edited by Trilby (2018-12-01 17:36:24)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#7 2018-12-01 17:16:53

mpboom
Member
From: The Netherlands
Registered: 2018-12-01
Posts: 4

Re: [SOLVED] Disable the 1024 port limit

It's mostly about simple Go webservers ran trough

go run [...].go

and my entire Docker installation. I want it to run at low-numbered ports because I've always worked that way (I installed Arch besides Windows a while ago and really want to switch my development stuff over to Arch). In short: I believe I should be able to quickly spin up a webserver on whatever port I want to.

Offline

#8 2018-12-01 17:18:51

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: [SOLVED] Disable the 1024 port limit

Webservers are generally run via a system service.  Even without a system service, you can start then with `sudo ...` without having to run everyting as root.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#9 2018-12-01 17:25:37

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: [SOLVED] Disable the 1024 port limit

Expanding on Trilbys comment in post #6; you may want to look into authbind.  It is in the AUR.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#10 2018-12-02 04:15:48

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: [SOLVED] Disable the 1024 port limit

Which is also the first suggestion linked in the first post. Along with iptables-based approach. And both of them are right and safe way to do that.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#11 2018-12-02 15:22:04

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: [SOLVED] Disable the 1024 port limit

mpan wrote:

Which is also the first suggestion linked in the first post. Along with iptables-based approach. And both of them are right and safe way to do that.

So it was.  whoops.  I guess I had concentrated only on the responses o_O


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#12 2018-12-02 17:47:03

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: [SOLVED] Disable the 1024 port limit

It wasn’t against you, ewaller. I am merely pointing that out to mpboom — they provided the proper solution, supported by you too, in their first post.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#13 2019-07-23 11:27:21

az12shareart
Member
Registered: 2019-07-23
Posts: 2

Re: [SOLVED] Disable the 1024 port limit

mpan wrote:

There is a good reason this limit exists: is an important security measure.

Important security measure? You give it too much undeserved credit. We should call it a dirty hack in place of a more robust network security framework. Such as a default drop host firewall and a service manager to open ports on start that doesn't forget to close them immediately on shutdown and emergency exits. To obstruct any rogue program that decides to impersonate a legitimate daemon, even if that daemon happens to run on an unprivileged port (hi squid).

systemd.service(5), look for options ExecStartPost= and ExecStopPost=, then iptables(8)

I am looking at you nft(8), and you still lack an equivalent of iptables --delete chain rule-specification


Mods (seth and WorMzy): cut the gaslighting. Implement the "sage" button for old threads. BS security claims shouldn't show up on the Web unchallenged. Enabling BS and silencing the right solutions is a very low life tactic. My post was abiding by the CoC, and offered steps on network security that isn't reliant on archaic non-solutions.

Offline

#14 2019-07-23 12:35:07

seth
Member
Registered: 2012-09-03
Posts: 49,963

Re: [SOLVED] Disable the 1024 port limit

Please do not necropost and certainly not for a semi-OT rant. Thanks.

Offline

#15 2019-07-23 12:42:09

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 11,783
Website

Re: [SOLVED] Disable the 1024 port limit

az12shareart, please do yourself a favour and read the entire code of conduct: https://wiki.archlinux.org/index.php/Code_of_conduct

Closing.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Online

Board footer

Powered by FluxBB