Low Ports run by non-root

Posted on 2004-11-19
Last Modified: 2013-12-27

Currently Solaris requires that ports under 1024 be run only as root.  So that means our webserver has to be launched as root.  Yes, immediately after launching, Apache cloaks itself as another user.  Nice feature.

But still I am having some problems because I want non-root users to be able to bring up/down processes on port 80.  

I know using 'ndd /dev/tcp tcp_smallest_nonpriv_port' you can change it from 1024 to some lower port, like 80.  

But is it possible to open a single port for non-root access, like ONLY 80, but leave 81-1024 default?

Question by:shanepresley
    LVL 51

    Expert Comment

    > But is it possible to open a single port for non-root access, like ONLY 80, but leave 81-1024 default?
    no, only the way for example apache does it.
    LVL 34

    Expert Comment

    You could employ a tool like sudo ( to allow normally-unprivledged users to perform privledged actions, such as launching a process that binds to a privledged port.
    LVL 1

    Author Comment

    Actually I'm having trouble with  ndd -set /dev/tcp tcp_smallest_nonpriv_port #

    It will let me set 1024 or higher, but won't let me do

    ndd -set /dev/tcp tcp_smallest_nonpriv_port 80
    operation failed, Invalid argument

    Anyone know if on Solaris 8/9 you can chnge that value?

    LVL 51

    Accepted Solution

    tcp_smallest_nonpriv_port *extends* the range of privileged ports, it does not *reduce* the range
    port 1..1023 are reserved for root in any *nix, for security reason.
    LVL 14

    Assisted Solution

    The traditional way to do this is to have a wrapper program that opens the port as root, becomes a non-root user, and then does the work as that non-root user.

    This can be done in a single program, or using a "wrapper" that opens the port as root, becomes the non-root user, and executes the "real" program.

    This is easily done using inetd, where you give it the name of the service (from /etc/services or the equiv. NIS map), the path of the program to execute, and the user to execute it as.

    This way, the program doesn't have to do any network listening stuff at all - just read stdin and write stdout.
    LVL 51

    Expert Comment

    tcpwrapper (tcpd) called from inetd is such a program, see
      man portmap
      man inetd

    if it have to be a deamon, see apache suggestion above ...
    LVL 10

    Assisted Solution

    They fixed this annoying issue in Solaris 10 with Process Rights - which doesn't help you here.

    Also lowering your non-priv port range to 80 EXTREMELY dangerous if this server is Internet facing.  As already recommended, using sudo to actually start/stop Apache to bind to the port 80 priv port is the right approach in this situation.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap ( Version 1.2 2.      Jpcap( Version 0.6 Prerequisite: 1.      GCC …
    Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
    This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
    In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now