Low Ports run by non-root


Currently Solaris requires that ports under 1024 be run only as root.  So that means our webserver has to be launched as root.  Yes, immediately after launching, Apache cloaks itself as another user.  Nice feature.

But still I am having some problems because I want non-root users to be able to bring up/down processes on port 80.  

I know using 'ndd /dev/tcp tcp_smallest_nonpriv_port' you can change it from 1024 to some lower port, like 80.  

But is it possible to open a single port for non-root access, like ONLY 80, but leave 81-1024 default?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

> But is it possible to open a single port for non-root access, like ONLY 80, but leave 81-1024 default?
no, only the way for example apache does it.
You could employ a tool like sudo (http://www.courtesan.com/sudo/) to allow normally-unprivledged users to perform privledged actions, such as launching a process that binds to a privledged port.
shanepresleyAuthor Commented:
Actually I'm having trouble with  ndd -set /dev/tcp tcp_smallest_nonpriv_port #

It will let me set 1024 or higher, but won't let me do

ndd -set /dev/tcp tcp_smallest_nonpriv_port 80
operation failed, Invalid argument

Anyone know if on Solaris 8/9 you can chnge that value?

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

tcp_smallest_nonpriv_port *extends* the range of privileged ports, it does not *reduce* the range
port 1..1023 are reserved for root in any *nix, for security reason.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The traditional way to do this is to have a wrapper program that opens the port as root, becomes a non-root user, and then does the work as that non-root user.

This can be done in a single program, or using a "wrapper" that opens the port as root, becomes the non-root user, and executes the "real" program.

This is easily done using inetd, where you give it the name of the service (from /etc/services or the equiv. NIS map), the path of the program to execute, and the user to execute it as.

This way, the program doesn't have to do any network listening stuff at all - just read stdin and write stdout.
tcpwrapper (tcpd) called from inetd is such a program, see
  man portmap
  man inetd

if it have to be a deamon, see apache suggestion above ...
They fixed this annoying issue in Solaris 10 with Process Rights - which doesn't help you here.

Also lowering your non-priv port range to 80 EXTREMELY dangerous if this server is Internet facing.  As already recommended, using sudo to actually start/stop Apache to bind to the port 80 priv port is the right approach in this situation.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.