HPE Community
Operating System - HP-UX
1834936 Members
2317 Online
110071 Solutions
New Discussion

Re: non-root user using TCP port 80

 
Dave Johnson_1
Super Advisor

‎06-16-2004 04:15 AM

‎06-16-2004 04:15 AM

non-root user using TCP port 80

It has been said to me that only root can claim tcp ports < 1024. So if I want to have an Apache server run as user fred on port 80, this will not work.
Does anyone know if this is true?
Is there a work around for it?
0 Kudos
7 REPLIES 7
Ashwani Kashyap
Honored Contributor

‎06-16-2004 04:24 AM

‎06-16-2004 04:24 AM

Re: non-root user using TCP port 80

The HP bundled apache runs as user "www" on port 80 , and user id of www is not the same as root .however most of the files are ooned by either root or bin .

having said taht I am not sure whether it will function properly if you runt it as other user . It might run , but will function the way its supposed to , I don't know .

0 Kudos
Steven E. Protter
Exalted Contributor

‎06-16-2004 04:33 AM

‎06-16-2004 04:33 AM

Re: non-root user using TCP port 80

Oracle's apache port comes with a script that root must run that gives permission for the server for a non-root user to use port 80.

When you install HP's port of apache depot a script like this(SUID i think) allows access to the port as part of the swinstall process.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Fred Ruffet
Honored Contributor

‎06-16-2004 06:08 AM

‎06-16-2004 06:08 AM

Re: non-root user using TCP port 80

Whatever you put as a user and group in your apache.conf, it will be launched by root (in init scripts).

So if httpd must run as user fred, you must set user and group in apache.conf. If you want your user fred to be able to launch the apache server, you can chown httpd process to root, and setuid it, but it might cause security holes.
chown root:root /opt/apache/bin/httpd
chmod +s /opt/apache/bin/httpd

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Sundar_7
Honored Contributor

‎06-16-2004 07:13 AM

‎06-16-2004 07:13 AM

Re: non-root user using TCP port 80

Hi Dave,

Yes that is true - only processes owned by root can bind to the ports less than 1024.

But there are work arounds.

1) There is a tunable tcp parameter tcp_smallest_nonpriv_port

# ndd -get /dev/tcp tcp_smallest_nonpriv_port
1024
#

This parameter refers to the smallest port a non-root user process can bind to.

You can decrease to say 80. Though I would not recommend doing it.

2) Some binaries do have the option of being started under a different username. Like for example the named process. named binds to tcp/udp 53. but you can start named under a different user name using -u option.

Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Stuart Browne
Honored Contributor

‎06-16-2004 05:30 PM

‎06-16-2004 05:30 PM

Re: non-root user using TCP port 80

Ports less than 1024 are privlileged ports, allocated to daemons of which are usually somewhat critical.

For security reasons, nost OS's don't allow non-privileged users to start listening on this ports.

If daemons continually run as root however, this causes possible security holes if the daemon can get exploited.

This is why daemons such as Apache and Bind/Named allow you to run as a non-priviliged user.

It still needs root privileges in order to launch, so it can bind to the port, but that's all the 'root' user is required for. Once bound, the daemon spawns children off to less privileged UID's for security.

Even though these daemons end up running as a non-privileged UID, they still can't be started by a non-privileged user because of the port it listens on.

If you want to be able to manage Apache as a non-privileged user ('fred' you said?), being able to stop, start, reload configs etc., then you need an 'SUID' wrapper to do such things.

So to answer your question, Yes. It's True. A non-privileged user cannot *launch* a daemon of which listens on a port below 1024.

As for work-arounds, yes there are. Steven mentioned that there was a wrapper with the 'swinstall' packages, and I'm sure there are a number of other's written by people who want to do a similar thing.
One long-haired git at your service...
0 Kudos
HP-UX Enthusiast
Advisor

‎10-20-2004 02:56 AM

‎10-20-2004 02:56 AM

Re: non-root user using TCP port 80

Use sudo instead of creating/hacking someone elses' wrapper script. sudo will probably do a better and more secure job of it.

You can get it from the HP-UX porting center:
http://hpux.cs.utah.edu
0 Kudos
Dave Johnson_1
Super Advisor

‎10-20-2004 03:02 AM

‎10-20-2004 03:02 AM

Re: non-root user using TCP port 80

Thank you for the late reply.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.