You are not logged in.

#1 2018-12-01 14:36:09

mpboom
Member
From: The Netherlands
Registered: 2018-12-01
Posts: 4

[SOLVED] Disable the 1024 port limit

Hi,

On Linux (and ArchLinux too) processes can't listen to any ports below 1024 unless approved by a system administrator. In this thread: https://stackoverflow.com/questions/413 … s-on-linux there are mentioned a couple of ways on how to disable this for a specific program, but I was wondering how to disable this for the entire system and all users. Did anyone ever do this, or does anyone have an idea on how to completely disable this limit?

Last edited by mpboom (2018-12-01 15:07:51)

Offline

#2 2018-12-01 14:41:06

amish
Member
Registered: 2014-05-10
Posts: 367

Re: [SOLVED] Disable the 1024 port limit

I have never tried this but see "ip_unprivileged_port_start" under:

https://www.kernel.org/doc/Documentatio … sysctl.txt

ip_unprivileged_port_start - INTEGER
    This is a per-namespace sysctl.  It defines the first
    unprivileged port in the network namespace.  Privileged ports
    require root or CAP_NET_BIND_SERVICE in order to bind to them.
    To disable all privileged ports, set this to 0.  It may not
    overlap with the ip_local_reserved_ports range.

    Default: 1024

So try this:

sysctl net.ipv4.ip_unprivileged_port_start=0

Last edited by amish (2018-12-01 14:45:06)


Forum signature: I discuss. I put my thoughts strongly. But I definitely respect all developers and time they put in.

Offline

#3 2018-12-01 15:08:18

mpboom
Member
From: The Netherlands
Registered: 2018-12-01
Posts: 4

Re: [SOLVED] Disable the 1024 port limit

Thank you so much! This is exactly what I wanted!

Offline

#4 2018-12-01 16:41:13

mpan
Member
Registered: 2012-08-01
Posts: 466
Website

Re: [SOLVED] Disable the 1024 port limit

This is not what you want.

There is a good reason this limit exists: is an important security measure. By setting all ports as unprivileged, you permit anyone on your system to expose services on those ports. Including rogue services that may be used to attack your machine, other applications on your machine or other machines (for example by spoofing DHCP, in extension spoofing DNS, supporting DNS rebinding attacks &c.), attacks user/programs (including you) connecting to your machine (for example by exposing a fake SSH server or sending back rogue data that the other side blindly considers to be safe) and so on.

The proper methods have been shown in the forum post you have linked.


Sometimes I’m a bit harsh — don’t get offended too easily!
PGP: 7C848198AE93D3BB | Coreutils SHA2 performance
Russian roulette: curl "https://ptpb.pw/$(cat /dev/urandom | tr -cd [:alnum:] | head -c 4)" | sudo bash

Offline

#5 2018-12-01 17:00:26

mpboom
Member
From: The Netherlands
Registered: 2018-12-01
Posts: 4

Re: [SOLVED] Disable the 1024 port limit

Thanks a lot for the heads-up! However, this is really what I need. I am using a non-shared computer and the alternative is to just log in as root (which I consider to be more unsafe than this).

Offline

#6 2018-12-01 17:10:39

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 20,470
Website

Re: [SOLVED] Disable the 1024 port limit

That's not the only alternative.  The process in question just needs root acess to bind the port (after which it can immediately drop privileges).  What is the process in question and why does it need a low numbered port?

Last edited by Trilby (2018-12-01 17:36:24)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#7 2018-12-01 17:16:53

mpboom
Member
From: The Netherlands
Registered: 2018-12-01
Posts: 4

Re: [SOLVED] Disable the 1024 port limit

It's mostly about simple Go webservers ran trough

go run [...].go

and my entire Docker installation. I want it to run at low-numbered ports because I've always worked that way (I installed Arch besides Windows a while ago and really want to switch my development stuff over to Arch). In short: I believe I should be able to quickly spin up a webserver on whatever port I want to.

Offline

#8 2018-12-01 17:18:51

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 20,470
Website

Re: [SOLVED] Disable the 1024 port limit

Webservers are generally run via a system service.  Even without a system service, you can start then with `sudo ...` without having to run everyting as root.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#9 2018-12-01 17:25:37

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 16,281

Re: [SOLVED] Disable the 1024 port limit

Expanding on Trilbys comment in post #6; you may want to look into authbind.  It is in the AUR.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#10 2018-12-02 04:15:48

mpan
Member
Registered: 2012-08-01
Posts: 466
Website

Re: [SOLVED] Disable the 1024 port limit

Which is also the first suggestion linked in the first post. Along with iptables-based approach. And both of them are right and safe way to do that.


Sometimes I’m a bit harsh — don’t get offended too easily!
PGP: 7C848198AE93D3BB | Coreutils SHA2 performance
Russian roulette: curl "https://ptpb.pw/$(cat /dev/urandom | tr -cd [:alnum:] | head -c 4)" | sudo bash

Offline

#11 2018-12-02 15:22:04

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 16,281

Re: [SOLVED] Disable the 1024 port limit

mpan wrote:

Which is also the first suggestion linked in the first post. Along with iptables-based approach. And both of them are right and safe way to do that.

So it was.  whoops.  I guess I had concentrated only on the responses o_O


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#12 2018-12-02 17:47:03

mpan
Member
Registered: 2012-08-01
Posts: 466
Website

Re: [SOLVED] Disable the 1024 port limit

It wasn’t against you, ewaller. I am merely pointing that out to mpboom — they provided the proper solution, supported by you too, in their first post.


Sometimes I’m a bit harsh — don’t get offended too easily!
PGP: 7C848198AE93D3BB | Coreutils SHA2 performance
Russian roulette: curl "https://ptpb.pw/$(cat /dev/urandom | tr -cd [:alnum:] | head -c 4)" | sudo bash

Offline

Board footer

Powered by FluxBB