You are not logged in.
Pages: 1
Topic closed
Hi,
On Linux (and ArchLinux too) processes can't listen to any ports below 1024 unless approved by a system administrator. In this thread: https://stackoverflow.com/questions/413 … s-on-linux there are mentioned a couple of ways on how to disable this for a specific program, but I was wondering how to disable this for the entire system and all users. Did anyone ever do this, or does anyone have an idea on how to completely disable this limit?
Last edited by mpboom (2018-12-01 15:07:51)
Offline
I have never tried this but see "ip_unprivileged_port_start" under:
https://www.kernel.org/doc/Documentatio … sysctl.txt
ip_unprivileged_port_start - INTEGER
This is a per-namespace sysctl. It defines the first
unprivileged port in the network namespace. Privileged ports
require root or CAP_NET_BIND_SERVICE in order to bind to them.
To disable all privileged ports, set this to 0. It may not
overlap with the ip_local_reserved_ports range.Default: 1024
So try this:
sysctl net.ipv4.ip_unprivileged_port_start=0
Last edited by amish (2018-12-01 14:45:06)
Offline
Thank you so much! This is exactly what I wanted!
Offline
This is not what you want.
There is a good reason this limit exists: is an important security measure. By setting all ports as unprivileged, you permit anyone on your system to expose services on those ports. Including rogue services that may be used to attack your machine, other applications on your machine or other machines (for example by spoofing DHCP, in extension spoofing DNS, supporting DNS rebinding attacks &c.), attacks user/programs (including you) connecting to your machine (for example by exposing a fake SSH server or sending back rogue data that the other side blindly considers to be safe) and so on.
The proper methods have been shown in the forum post you have linked.
Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
Thanks a lot for the heads-up! However, this is really what I need. I am using a non-shared computer and the alternative is to just log in as root (which I consider to be more unsafe than this).
Offline
That's not the only alternative. The process in question just needs root acess to bind the port (after which it can immediately drop privileges). What is the process in question and why does it need a low numbered port?
Last edited by Trilby (2018-12-01 17:36:24)
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
It's mostly about simple Go webservers ran trough
go run [...].go
and my entire Docker installation. I want it to run at low-numbered ports because I've always worked that way (I installed Arch besides Windows a while ago and really want to switch my development stuff over to Arch). In short: I believe I should be able to quickly spin up a webserver on whatever port I want to.
Offline
Webservers are generally run via a system service. Even without a system service, you can start then with `sudo ...` without having to run everyting as root.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
Expanding on Trilbys comment in post #6; you may want to look into authbind. It is in the AUR.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
Which is also the first suggestion linked in the first post. Along with iptables-based approach. And both of them are right and safe way to do that.
Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
Which is also the first suggestion linked in the first post. Along with iptables-based approach. And both of them are right and safe way to do that.
So it was. whoops. I guess I had concentrated only on the responses o_O
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
It wasn’t against you, ewaller. I am merely pointing that out to mpboom — they provided the proper solution, supported by you too, in their first post.
Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
There is a good reason this limit exists: is an important security measure.
Important security measure? You give it too much undeserved credit. We should call it a dirty hack in place of a more robust network security framework. Such as a default drop host firewall and a service manager to open ports on start that doesn't forget to close them immediately on shutdown and emergency exits. To obstruct any rogue program that decides to impersonate a legitimate daemon, even if that daemon happens to run on an unprivileged port (hi squid).
systemd.service(5), look for options ExecStartPost= and ExecStopPost=, then iptables(8)
I am looking at you nft(8), and you still lack an equivalent of iptables --delete chain rule-specification
Mods (seth and WorMzy): cut the gaslighting. Implement the "sage" button for old threads. BS security claims shouldn't show up on the Web unchallenged. Enabling BS and silencing the right solutions is a very low life tactic. My post was abiding by the CoC, and offered steps on network security that isn't reliant on archaic non-solutions.
Offline
Please do not necropost and certainly not for a semi-OT rant. Thanks.
Offline
az12shareart, please do yourself a favour and read the entire code of conduct: https://wiki.archlinux.org/index.php/Code_of_conduct
Closing.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Online
Pages: 1
Topic closed