Home >Backend Development >PHP Tutorial >How to make non-root user programs use ports smaller than 1024 under Linux
Under Linux, by default, ports below 1024 can only be used under root. If you try to use them under other users, an error will be reported. Sometimes, we may consider running the program under the root account, but this may bring security risks to the Linux system. So how can we enable programs run by non-root users to enable ports smaller than 1024 to the outside world? This article tries to give some methods: The first method: SetUID Setting the user ID in the execution position of the user's application allows the program to run with root privileges. This method allows the program to run as if it were running under root, but you need to be very careful. This method also brings security risks, especially When the program to be executed inherently presents a security risk. The method used is: chown root.root /path/to/application #Use SetUID chmod u+s /path/to/application We can see that under the system, files such as /usr/bin/passwd use SetUID, so that every user in the system can use passwd to change the password - this is the file to modify /etc/passwd ( Only root has permission to do this). Since you want to use a non-root user to run the program, the purpose is to reduce the security risks that the program itself brings to the system. Therefore, you need to be particularly careful when using this method. Second method: CAP_NET_BIND_SERVICE Starting with version 2.1, the Linux kernel has the concept of capabilities, which allow ordinary users to do tasks that only superusers can do, including using ports. Obtain the CAP_NET_BIND_SERVICE capability and be able to band to low ports even if the service program is running under a non-root account. Method used: # Set CAP_NET_BIND_SERVICE setcap cap_net_bind_service =+ep /path/to/application Note: 1. This method is not suitable for all Linux systems. The kernel does not provide it before 2.1, so you need to check whether the system where you want to use this method supports it; 2. Another thing to note is that if the program file to be run is a script, this method will not work properly. The third method: Port Forwarding If the program you want to run has permission to listen to other ports, then this method can be used. First, let the program run under a non-root account and bind a port higher than 1024. When ensuring that it can work normally, pass the low port Port forwarding transfers the low port to the high port, thereby enabling non-root running programs to bind to the low port. To use this method you can use the following: # Enable the IP FORWARD kernel parameter. sysctl -w net.ipv4.ip_forward=1 # Use iptables rules to redirect packets iptables -F -t nat iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to:8088 The first step is to use sysctl to ensure that the IP FORWARD function is enabled (this function is disabled by default in Red Hat/CentOS). Note that the sysctl settings used in the code are temporary settings and will be reset after restarting. If you want to save them permanently , need to be modified in the /etc/sysctl.conf file: # Default value is 0, need change to 1. # net.ipv4.ip_forward = 0 net.ipv4.ip_forward = 1 Then load the new configuration from the file # load new sysctl.conf sysctl -p /etc/sysctl.conf # or sysctl -p # default filename is /etc/sysctl.conf The second step is to use iptables rules to forward the port to the port where the program is located. In the example, we want to forward port 80 to 8088. This method can achieve our purpose better. Our program can be run by non-root users and can provide low port number services to the outside world. The fourth way: RINETD This method also uses port forwarding. This tool can map local ports to remote ports, but this function is a bit useless for our current functions. After all, we have added an additional program, which may increase our System risk. No recommendations here. Get Brothers IT Education’s original Linux operation and maintenance engineer video/detailed Linux tutorial for free. For details, please contact the official website customer service: http://www.lampbrother.net/linux/ PHP, Linux, HTML5, UI, Android and other video tutorials (courseware + notes + video)! Contact Q2430675018 |