bbaovanc.com/bbaovanc.com
1
0
Fork 0
mirror of https://github.com/BBaoVanC/bbaovanc.com.git synced 2025-08-02 23:11:37 -05:00
Code Issues Projects Releases Wiki Activity

Update privileged ports post footnotes & use <

Browse Source 
- Use names for footnotes instead of numbers
- Replace literal `<` with `&lt;`
This commit is contained in:
BBaoVanC
2022-05-02 01:06:28 -05:00
parent bd9d294fc1
commit db65e9fc23
1 changed files with 15 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
content/blog/allow-non-root-processes-to-bind-to-privileged-ports/index.md
View File

@@ -2,7 +2,7 @@
title: Allow non root processes to bind to privileged ports in Linux
date: 2021-03-28T21:29:52-05:00
lastmod: 2021-10-16T21:25:38-05:00
lastmod: 2022-05-02T01:05:44-05:00
toc: true
comments: true
@@ -18,14 +18,14 @@ tags:
---
In Linux, processes cannot bind to privileged ports (<=1024) unless they are
In Linux, processes cannot bind to privileged ports (&lt;=1024) unless they are
running as root. Here's how to allow any process to bind to privileged ports.
<!--more-->
## Introduction
In Linux, processes cannot bind to privileged ports (<=1024) unless they are
In Linux, processes cannot bind to privileged ports (&lt;=1024) unless they are
running as root. I learned about this when I was trying to add SSH cloning to my
[Gitea](https://gitea.io) instance. This can be bypassed by giving
`CAP_NET_BIND_SERVICE` capabilities to either the systemd service, or the
@@ -35,9 +35,9 @@ executable itself.
### Using systemd (preferred)
The best way is to tell systemd to give `CAP_NET_BIND_SERVICE`
capabilities to the service. In fact, the Gitea systemd service has two
lines[^1] that are commented out:
The best way is to tell systemd to give `CAP_NET_BIND_SERVICE` capabilities to
the service. In fact, the Gitea systemd service has two
lines[^systemd-set-capabilities] that are commented out:
```systemd
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
@@ -49,7 +49,7 @@ Uncommenting these two lines was all I had to do for Gitea.
### Using `setcap`
You can add `CAP_NET_BIND_SERVICE` to the executable directly using `setcap`,
allowing it to bind to any port. Run the following command[^2]:
allowing it to bind to any port. Run the following command[^setcap-command]:
```bash
setcap 'cap_net_bind_service=+ep' /path/to/program
@@ -58,7 +58,7 @@ setcap 'cap_net_bind_service=+ep' /path/to/program
Note that this means that anyone with permission to run this program will be
able to run it and bind to any privileged ports.
Other caveats[^2]:
Other caveats[^caveats-quote]:
> 1. You will need at least a 2.6.24 kernel
> 2. This won't work if your file is a script. (ie, uses a #! line to launch an
@@ -71,6 +71,10 @@ Other caveats[^2]:
> privileges like setcap or suid. So if your program uses its own .../lib/,
> you might have to look into another option like port forwarding.
[^1]: https://github.com/go-gitea/gitea/blob/3416e2a82586fca4cd452b93237b979300f55d62/contrib/systemd/gitea.service#L69
and https://stackoverflow.com/a/47065825
[^2]: https://stackoverflow.com/a/414258
[^systemd-set-capabilities]: See [these two lines in the Gitea systemd service
file](https://github.com/go-gitea/gitea/blob/3416e2a82586fca4cd452b93237b979300f55d62/contrib/systemd/gitea.service#L69)
and [this Stack Overflow answer](https://stackoverflow.com/a/47065825).
[^setcap-command]: https://stackoverflow.com/a/414258
[^caveats-quote]: https://stackoverflow.com/a/414258