[SOLVED] Disable the 1024 port limit

mpboom · 2018-12-01 14:36:09

Hi,

On Linux (and ArchLinux too) processes can't listen to any ports below 1024 unless approved by a system administrator. In this thread: https://stackoverflow.com/questions/413 … s-on-linux there are mentioned a couple of ways on how to disable this for a specific program, but I was wondering how to disable this for the entire system and all users. Did anyone ever do this, or does anyone have an idea on how to completely disable this limit?

Last edited by mpboom (2018-12-01 15:07:51)

amish · 2018-12-01 14:41:06

I have never tried this but see "ip_unprivileged_port_start" under:

https://www.kernel.org/doc/Documentatio … sysctl.txt

ip_unprivileged_port_start - INTEGER
This is a per-namespace sysctl. It defines the first
unprivileged port in the network namespace. Privileged ports
require root or CAP_NET_BIND_SERVICE in order to bind to them.
To disable all privileged ports, set this to 0. It may not
overlap with the ip_local_reserved_ports range.
Default: 1024

So try this:

sysctl net.ipv4.ip_unprivileged_port_start=0

Last edited by amish (2018-12-01 14:45:06)

mpboom · 2018-12-01 15:08:18

Thank you so much! This is exactly what I wanted!

mpan · 2018-12-01 16:41:13

This is not what you want.

There is a good reason this limit exists: is an important security measure. By setting all ports as unprivileged, you permit anyone on your system to expose services on those ports. Including rogue services that may be used to attack your machine, other applications on your machine or other machines (for example by spoofing DHCP, in extension spoofing DNS, supporting DNS rebinding attacks &c.), attacks user/programs (including you) connecting to your machine (for example by exposing a fake SSH server or sending back rogue data that the other side blindly considers to be safe) and so on.

The proper methods have been shown in the forum post you have linked.

mpboom · 2018-12-01 17:00:26

Thanks a lot for the heads-up! However, this is really what I need. I am using a non-shared computer and the alternative is to just log in as root (which I consider to be more unsafe than this).

Trilby · 2018-12-01 17:10:39

That's not the only alternative. The process in question just needs root acess to bind the port (after which it can immediately drop privileges). What is the process in question and why does it need a low numbered port?

Last edited by Trilby (2018-12-01 17:36:24)

mpboom · 2018-12-01 17:16:53

It's mostly about simple Go webservers ran trough

go run [...].go

and my entire Docker installation. I want it to run at low-numbered ports because I've always worked that way (I installed Arch besides Windows a while ago and really want to switch my development stuff over to Arch). In short: I believe I should be able to quickly spin up a webserver on whatever port I want to.

Trilby · 2018-12-01 17:18:51

Webservers are generally run via a system service. Even without a system service, you can start then with `sudo ...` without having to run everyting as root.

ewaller · 2018-12-01 17:25:37

Expanding on Trilbys comment in post #6; you may want to look into authbind. It is in the AUR.

mpan · 2018-12-02 04:15:48

Which is also the first suggestion linked in the first post. Along with iptables-based approach. And both of them are right and safe way to do that.

ewaller · 2018-12-02 15:22:04

mpan wrote:

Which is also the first suggestion linked in the first post. Along with iptables-based approach. And both of them are right and safe way to do that.

So it was. whoops. I guess I had concentrated only on the responses o_O

mpan · 2018-12-02 17:47:03

It wasn’t against you, ewaller. I am merely pointing that out to mpboom — they provided the proper solution, supported by you too, in their first post.

az12shareart · 2019-07-23 11:27:21

mpan wrote:

There is a good reason this limit exists: is an important security measure.

Important security measure? You give it too much undeserved credit. We should call it a dirty hack in place of a more robust network security framework. Such as a default drop host firewall and a service manager to open ports on start that doesn't forget to close them immediately on shutdown and emergency exits. To obstruct any rogue program that decides to impersonate a legitimate daemon, even if that daemon happens to run on an unprivileged port (hi squid).

systemd.service(5), look for options ExecStartPost= and ExecStopPost=, then iptables(8)

I am looking at you nft(8), and you still lack an equivalent of iptables --delete chain rule-specification

seth · 2019-07-23 12:35:07

Please do not necropost and certainly not for a semi-OT rant. Thanks.

WorMzy · 2019-07-23 12:42:09

az12shareart, please do yourself a favour and read the entire code of conduct: https://wiki.archlinux.org/index.php/Code_of_conduct

Closing.

Arch Linux

#1 2018-12-01 14:36:09

[SOLVED] Disable the 1024 port limit

#2 2018-12-01 14:41:06

Re: [SOLVED] Disable the 1024 port limit

#3 2018-12-01 15:08:18

Re: [SOLVED] Disable the 1024 port limit

#4 2018-12-01 16:41:13

Re: [SOLVED] Disable the 1024 port limit

#5 2018-12-01 17:00:26

Re: [SOLVED] Disable the 1024 port limit

#6 2018-12-01 17:10:39

Re: [SOLVED] Disable the 1024 port limit

#7 2018-12-01 17:16:53

Re: [SOLVED] Disable the 1024 port limit

#8 2018-12-01 17:18:51

Re: [SOLVED] Disable the 1024 port limit

#9 2018-12-01 17:25:37

Re: [SOLVED] Disable the 1024 port limit

#10 2018-12-02 04:15:48

Re: [SOLVED] Disable the 1024 port limit

#11 2018-12-02 15:22:04

Re: [SOLVED] Disable the 1024 port limit

#12 2018-12-02 17:47:03

Re: [SOLVED] Disable the 1024 port limit

#13 2019-07-23 11:27:21

Re: [SOLVED] Disable the 1024 port limit

#14 2019-07-23 12:35:07

Re: [SOLVED] Disable the 1024 port limit

#15 2019-07-23 12:42:09

Re: [SOLVED] Disable the 1024 port limit

Board footer