Possibility to adjust the only-root-can-bind-to-port-under-1024 limit

Possibility to adjust the only-root-can-bind-to-port-under-1024 limit

[Mikael Ståldal]

In Linux you have to be root in order to listen to TCP or UDP ports below 1024 (the 
well-known ports). As far as I know, this limit is hardcoded in the kernel.

In some cases, this limit do more harm than good, so it would be nice to be able to adjust it.

FreeBSD have a pair of sysctl parameters allowing you to adjust (or effectively remove) this 
  limit, net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh. It would 
be nice if something similar to net.inet.ip.portrange.reservedhigh was implemented in Linux 
(with default value 1023).

I have no patch for this, since I have never done any kernel hacking before. But it seems 
like it should be easy to implement by replacing the PROT_SOCK constant with 
net.inet.ip.portrange.reservedhigh + 1.

(See my blog post for a more elaborate discussion about this:
http://www.staldal.nu/tech/2007/10/31/why-can-only-root-listen-to-ports-below-1024/)

/Mikael

Re: Possibility to adjust the only-root-can-bind-to-port-under-1024 limit

[Radoslaw Szkodzinski]

[-- Attachment #1: Type: text/plain, Size: 533 bytes --]

On Tue, 20 Nov 2007 11:14:59 +0100
Mikael Ståldal  <mikael.staldal-ingen-reklam@univits.com> wrote:

> In Linux you have to be root in order to listen to TCP or UDP ports below 1024 (the 
> well-known ports). As far as I know, this limit is hardcoded in the kernel.
> 
> In some cases, this limit do more harm than good, so it would be nice to be able to adjust it.

The proper way to enable port <= 1024 binding support is adding CAP_NET_BIND_SERVICE to the process capability set, e.g. by using file-system capabilities.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Possibility to adjust the only-root-can-bind-to-port-under-1024 limit

[Radoslaw Szkodzinski]

[-- Attachment #1: Type: text/plain, Size: 755 bytes --]

On Tue, 20 Nov 2007 17:09:35 +0100
Mikael Ståldal <mikael.staldal@univits.com> wrote:

> Hello.
> 
> > The proper way to enable port <= 1024 binding support is adding CAP_NET_BIND_SERVICE 
>  > to the process capability set, e.g. by using file-system capabilities.
> 
> Is file-system capabilites part of the stable official Linux kernel? From which version?
> How do I use it?
> 

They were recently added in 2.6.24-rc1.
(mostly commit b53767719b6cd8789392ea3e7e2eb7b8906898f0)
The patch should be easy to backport, I've seen it in various
distro kernels.

According to the commit, documentation is at
http://www.friedhoff.org/fscaps.html

Some programs already have capability support - they
drop all permissions they don't need.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Possibility to adjust the only-root-can-bind-to-port-under-1024 limit

[Mikael Ståldal]

Radoslaw Szkodzinski (AstralStorm) skrev:
>> In Linux you have to be root in order to listen to TCP or UDP ports below 1024 (the 
>> well-known ports). As far as I know, this limit is hardcoded in the kernel.
>
> The proper way to enable port <= 1024 binding support is adding CAP_NET_BIND_SERVICE to 
 > the process capability set, e.g. by using file-system capabilities.

And how do you protect ports >1024 from any user binding to them?

Isn't the 1024 limit somewhat obsolete and arbitrary today?

/Mikael

Re: Possibility to adjust the only-root-can-bind-to-port-under-1024 limit

[Phillip Susi]

Mikael Ståldal wrote:
> And how do you protect ports >1024 from any user binding to them?
> 
> Isn't the 1024 limit somewhat obsolete and arbitrary today?

No, it is not obsolete, yes, it always was arbitrary.

You prevent users from binding to those ports by only giving 
applications that need to the capability, and only letting the users 
that need to have execute permission to those programs.

Re: Possibility to adjust the only-root-can-bind-to-port-under-1024 limit

[Mikael Ståldal]

Phillip Susi skrev:
> Mikael Ståldal wrote:
>> And how do you protect ports >1024 from any user binding to them?
>
> You prevent users from binding to those ports by only giving 
> applications that need to the capability, and only letting the users 
> that need to have execute permission to those programs.

I think you misunderstood my question.

How do you protect ports greater than 1024 from any user binding to them? E.g. port 1080.

/Mikael

Re: Possibility to adjust the only-root-can-bind-to-port-under-1024 limit

[Mikael Ståldal]

Casey Schaufler skrev:
>> How do you protect ports greater than 1024 from any user binding to them?
>> E.g. port 1080.
> 
> Should the OS manage port number allocations? I don't think so
> based on the notion of ports being names in an uncontrolled flat
> namespace. The whole problem is that people want to make assumptions
> about the applications providing services on a particular port, and
> no amount of OS control is going to solve that one.

This means that the OS should allow any user to bind to all ports, even those <1024.

/Mikael