Allow Non-Root User to Bind to Lower Ports < 1024?
ColinTaylor
Part of the Furniture
Just a random guess, no idea if it would work:
Install
Install
libcap-bin and use something like setcap cap_net_bind_service=ep myexeprog
garycnew
Senior Member
Colin,
I receive "Failed to set capabilities on file" and "Operation not supported" errors attempting to use setcap.
Code:
# opkg install libcap-bin
Installing libcap-bin (2.63-1) to root...
Downloading https://bin.entware.net/armv7sf-k2.6/libcap-bin_2.63-1_armv7-2.6.ipk
Configuring libcap-bin.
# opkg list-installed | grep -i libcap
libcap - 2.63-1
libcap-bin - 2.63-1
# opkg files libcap-bin
Package libcap-bin (2.63-1) is installed on root and has the following files:
/opt/sbin/capsh
/opt/sbin/setcap
/opt/sbin/getpcaps
/opt/sbin/getcap
# setcap cap_net_bind_service=ep /opt/bin/proxy
Failed to set capabilities on file '/opt/bin/proxy': Operation not supported
# getcap /opt/bin/proxy
#A cursory search of the errors does not yield much.
Thanks, again, for your assistance.
Respectfully,
Gary
garycnew
Senior Member
@ColinTaylor
I noticed some references to authbind as an alternative. However, it doesn't appear to be packaged within OpenWRT or Entware. I'd have to roll my own to test.
The last alternative I can think of is to give the application in question root access.
Any additional thoughts on the subject?
Thanks.
Gary
I noticed some references to authbind as an alternative. However, it doesn't appear to be packaged within OpenWRT or Entware. I'd have to roll my own to test.
The last alternative I can think of is to give the application in question root access.
Any additional thoughts on the subject?
Thanks.
Gary
Last edited:
ColinTaylor
Part of the Furniture
I'm not really surprised that setcap didn't work. It probably needs the kernel to be compiled with some option enabled.
I was wondering why you weren't running it as root as that's the way almost everything runs by default. There are a couple of processes that spawn a non-root child process for security but most don't.
I was wondering why you weren't running it as root as that's the way almost everything runs by default. There are a couple of processes that spawn a non-root child process for security but most don't.
garycnew
Senior Member
@ColinTaylor
Security was the primary concern.
It seems functionality trumps security with Asuswrt.
As always, I appreciate your input.
Respectfully,
Gary
ColinTaylor
Part of the Furniture
Well at the risk of sounding like a broken record, Asuswrt is not a Linux distro. It's hardly surprising some features aren't enabled. The objective of Asuswrt is to be as lean as possible and not waste resource by enabling unused/unsupported features. Personally I wouldn't expose any router services to the internet other than OpenVPN. If I wanted to run a public facing service I'd put it on a "proper" machine and not my internet gateway/firewall device. /2cents
garycnew
Senior Member
The services in question are run on AiMesh Nodes within the private network.
Does setting the set uid on exec not work or is that too wide an attack surface for your needs?
garycnew
Senior Member
I suppose that would be a compromise to running the application as root. The preference would be to allow non-root binding to lower ports < 1024, but that doesn't seem plausible under Asuswrt.
I must admit I haven't worked with this kind of approach, the Linux package I maintain is run as root so I haven't needed to worry about this stuff.
So I don't know about how to drop privileges after doing the privileged things you need to do, if it means a lot to you it's probably worth doing a bit of searching on this topic before giving up.
It doesn't look too hard to do:
How and why Linux daemons drop privileges
By dropping privileges a process can be better protected against attacks. Learn how this applies to Linux systems and software.
linux-audit.com
garycnew
Senior Member
I believe port-forwarding might be the alternative workaround I've been searching for.
Thanks @ColinTaylor and @raven-au for your input.
Respectfully,
Gary
Thanks @ColinTaylor and @raven-au for your input.
Respectfully,
Gary
garycnew
Senior Member
@RMerlin
It seems there is quite the debate in the kernel world around the premise of this "security feature." I understand both sides of the debate and don't really have a strong opinion one way or the other on the matter.
I was simply trying to discern an answer with regard to its implementation and subjectiveness within Asuswrt, which you and others have confirmed.
I appreciate all that you do in the development and maintenance of one of the best wireless router platforms on the market and for weighing in on such a trivial question.
Thank You!
Respectfully,
Gary
It seems there is quite the debate in the kernel world around the premise of this "security feature." I understand both sides of the debate and don't really have a strong opinion one way or the other on the matter.
I was simply trying to discern an answer with regard to its implementation and subjectiveness within Asuswrt, which you and others have confirmed.
I appreciate all that you do in the development and maintenance of one of the best wireless router platforms on the market and for weighing in on such a trivial question.
Thank You!
Respectfully,
Gary
Similar threads
Similar threads
Similar threads
-
-
How to allow incoming WAN connections for WireGuard clients?
- Started by arkywein
- Replies: 5
-
How to prevent WireGuard VPN server clients from accessing the local network (allow only Internet access)?- Started by postoronnim-v
- Replies: 18
-
Asus - RT-AX88U - USB Application - Network Place (Samba) Share / Cloud Disk - Problem when enabling Allow guest login
- Started by Benjamin1904
- Replies: 4
-
-
Prevent client from connecting to router but allow connection to internet via access point
- Started by swbrains
- Replies: 4
-
Allow admin web GUI access on another interface (tailscale0)
- Started by mr8
- Replies: 0
-
-
How would you go about syncing/symlinking root home folder to entware drive during system operation?
- Started by domic
- Replies: 12