Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In Linux the thing the author wants is /proc/sys/net/ipv4/ip_unprivileged_port_start which defaults to 1024 but can be set to anything you like. Such as 0.

Edit: I didn't realize how new that was. Kernels 4.11+ only. I think some people were using this on custom patched kernels though because I've been seeing it around. Was committed in January.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...



No, the things that would have obviated the author's specific example were (a finer-grained version of) ip_unprivileged_port_start and SRV records back in the 90s, when the customs actually developed.


That's the whole point about path dependence. We went down this massively more complex and expensive path because we didn't do a few teeny weeny little things to network interfaces and permissions back in the 90s.


Or just giving relevant users CAP_NET_BIND_SERVICE.


or do it to the binaries:

> setcap 'cap_net_bind_service=+ep' /path/to/executable

huge blog post for what is literally a one line fix


Unprivileged user accounts can't do that, so it changes nothing about the blog post.


Also only works for actual binaries, not scripts. Well, you can write a short exec wrapper I suppose.


Hm. Why doesn't it work for scripts? I thought the capabilities were stored in the filesystem?


An OS that allows shebang scripts to have setuid or capabilities ends up allowing security holes, as seen in traditional Unix variants; see http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html and https://www.in-ulm.de/~mascheck/various/shebang/#setuid

Therefore, Linux simply doesn't allow it.


Because the script is probably not what is actually opening the port. It is going to execute something else that will open the port.


sudo setcap 'cap_net_bind_service=+ep' /usr/bin/nodejs

then all users benefits from it.


How does that solve the problem? How to 100 users bind their locally-installed web server to port 80? How do you make it so that only my user can bind to only my IP?


You use network namespaces or whole solution like LXC.


Doesn't solve the problem, just shows he doesn't understand the problem.


A lot of good blog posts end up as one line fixes :-)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: