Bug 201369 - Need to enable server processes to bind to privileged ports as a non-root user
Need to enable server processes to bind to privileged ports as a non-root user
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Miller
Brian Brock
:
Depends On:
Blocks: 208140
  Show dependency treegraph
 
Reported: 2006-08-04 13:17 EDT by Tom "spot" Callaway
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-27 02:24:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom "spot" Callaway 2006-08-04 13:17:46 EDT
Description of problem:
It is common to see LDAP servers that need to bind to the standard LDAP and
LDAPS ports (389/636). Currently, this is requires that slapd be run as root, in
order to be able to bind to these ports. Also any watchdog scripts have to 
run as root, and this ends up cascading root access dependencies into other 
areas as well.

This is not specific to LDAP, the concern exists for any server that wants to
bind to "privileged" ports as a non-root user.

Thankfully, this seems pretty easy to resolve. This patch seems to resolve the
situation:

--- /usr/src/linux/include/linux/capability.h	2005-03-02 07:37:50.000000000 +0000
+++ /usr/src/linux/include/linux/capability.h	2005-08-28 00:12:43.150862450 +0100
@@ -311,8 +311,8 @@
 
 #define CAP_EMPTY_SET       to_cap_t(0)
 #define CAP_FULL_SET        to_cap_t(~0)
-#define CAP_INIT_EFF_SET    to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
-#define CAP_INIT_INH_SET    to_cap_t(0)
+#define CAP_INIT_EFF_SET    to_cap_t(~0)
+#define CAP_INIT_INH_SET    to_cap_t(~0)
 
 #define CAP_TO_MASK(x) (1 << (x))
 #define cap_raise(c, flag)   (cap_t(c) |=  CAP_TO_MASK(flag))
--- /usr/src/linux/net/ipv4/devinet.c	2005-03-02 07:37:50.000000000 +0000
+++ /usr/src/linux/net/ipv4/devinet.c	2005-08-28 00:14:09.527835038 +0100
@@ -1232,7 +1232,7 @@
 			.procname	= "mc_forwarding",
 			.data		= &ipv4_devconf.mc_forwarding,
 			.maxlen		= sizeof(int),
-			.mode		= 0444,
+			.mode		= 0644,
 			.proc_handler	= &proc_dointvec,
 		},
 		{

It would seem like this patch might be all that is needed to enable 
setting CAP_NET_BIND_SERVICE to allow binding ports less than 1024.

If there is a more optimal way to achieve this functionality, I'm 
certainly open to other approaches as well. I'm just looking for 
something that will work. It will definitely 
reduce unnecessary risk exposure and decrease operations complexity for many
end-users.
Comment 2 Tom "spot" Callaway 2006-09-10 20:26:47 EDT
Dave, I see you reassigned this to yourself. Any chance of this going in for RHEL 5?
Comment 3 Dave Jones 2006-09-27 02:24:20 EDT
If this makes any sense at all, it needs to happen upstream, as it's a fairly
fundamental change.

Note You need to log in before you can comment on or make changes to this bug.