Low Ports run by non-root

Posted on 2004-11-19
Medium Priority
Last Modified: 2013-12-27

Currently Solaris requires that ports under 1024 be run only as root.  So that means our webserver has to be launched as root.  Yes, immediately after launching, Apache cloaks itself as another user.  Nice feature.

But still I am having some problems because I want non-root users to be able to bring up/down processes on port 80.  

I know using 'ndd /dev/tcp tcp_smallest_nonpriv_port' you can change it from 1024 to some lower port, like 80.  

But is it possible to open a single port for non-root access, like ONLY 80, but leave 81-1024 default?

Question by:shanepresley
LVL 51

Expert Comment

ID: 12626164
> But is it possible to open a single port for non-root access, like ONLY 80, but leave 81-1024 default?
no, only the way for example apache does it.
LVL 34

Expert Comment

ID: 12626831
You could employ a tool like sudo (http://www.courtesan.com/sudo/) to allow normally-unprivledged users to perform privledged actions, such as launching a process that binds to a privledged port.

Author Comment

ID: 12627513
Actually I'm having trouble with  ndd -set /dev/tcp tcp_smallest_nonpriv_port #

It will let me set 1024 or higher, but won't let me do

ndd -set /dev/tcp tcp_smallest_nonpriv_port 80
operation failed, Invalid argument

Anyone know if on Solaris 8/9 you can chnge that value?

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 51

Accepted Solution

ahoffmann earned 1200 total points
ID: 12628631
tcp_smallest_nonpriv_port *extends* the range of privileged ports, it does not *reduce* the range
port 1..1023 are reserved for root in any *nix, for security reason.
LVL 14

Assisted Solution

chris_calabrese earned 400 total points
ID: 12628643
The traditional way to do this is to have a wrapper program that opens the port as root, becomes a non-root user, and then does the work as that non-root user.

This can be done in a single program, or using a "wrapper" that opens the port as root, becomes the non-root user, and executes the "real" program.

This is easily done using inetd, where you give it the name of the service (from /etc/services or the equiv. NIS map), the path of the program to execute, and the user to execute it as.

This way, the program doesn't have to do any network listening stuff at all - just read stdin and write stdout.
LVL 51

Expert Comment

ID: 12628833
tcpwrapper (tcpd) called from inetd is such a program, see
  man portmap
  man inetd

if it have to be a deamon, see apache suggestion above ...
LVL 10

Assisted Solution

Nukfror earned 400 total points
ID: 12629292
They fixed this annoying issue in Solaris 10 with Process Rights - which doesn't help you here.

Also lowering your non-priv port range to 80 EXTREMELY dangerous if this server is Internet facing.  As already recommended, using sudo to actually start/stop Apache to bind to the port 80 priv port is the right approach in this situation.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month14 days, 5 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question