- 论坛徽章:
- 0
|
*
Using SetUID
Set user ID on execution bit for user application can make this application be able to run with root permission. this is dangerous for security especially when the application has any vulnerability.
# chown root.root /path/to/program
# chmod u+s /path/to/program
*
Using CAP_NET_BIND_SERVICE
It is possible to bind low ports even though a service is running as a non-root user with CAP_NET_BIND_SERVICE capacity.
# setcap cap_net_bind_service=+ep /path/to/program
Note 1 : Red Hat Enterprise Linux 4, 5 do not provide this capacity. To use this, Fedora 11 or newer versions are required.
Note 2 : This won't work if the progmam file is a script.
*
Using Port forwarding
If the application has a capability to listen other ports, run the application on a high port and forward a low port to it. It can also be done using an iptables forwarding rule as shown below.
Enable the IP forward kernel parameter:
# sysctl -w net.ipv4.ip_forward=1
Make iptable rules to redirect packets heading for 80 port to 8888 port which the program will listen.
# iptables -F -t nat
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to :8888
Then, run the program with a normal user. |
|