Allow Non-Root User to Bind to Lower Ports < 1024?
ColinTaylor
Part of the Furniture
Just a random guess, no idea if it would work:
Install
Install
libcap-bin and use something like setcap cap_net_bind_service=ep myexeprog
garycnew
Senior Member
Colin,
I receive "Failed to set capabilities on file" and "Operation not supported" errors attempting to use setcap.
Code:
# opkg install libcap-bin
Installing libcap-bin (2.63-1) to root...
Downloading https://bin.entware.net/armv7sf-k2.6/libcap-bin_2.63-1_armv7-2.6.ipk
Configuring libcap-bin.
# opkg list-installed | grep -i libcap
libcap - 2.63-1
libcap-bin - 2.63-1
# opkg files libcap-bin
Package libcap-bin (2.63-1) is installed on root and has the following files:
/opt/sbin/capsh
/opt/sbin/setcap
/opt/sbin/getpcaps
/opt/sbin/getcap
# setcap cap_net_bind_service=ep /opt/bin/proxy
Failed to set capabilities on file '/opt/bin/proxy': Operation not supported
# getcap /opt/bin/proxy
#A cursory search of the errors does not yield much.
Thanks, again, for your assistance.
Respectfully,
Gary
garycnew
Senior Member
@ColinTaylor
I noticed some references to authbind as an alternative. However, it doesn't appear to be packaged within OpenWRT or Entware. I'd have to roll my own to test.
The last alternative I can think of is to give the application in question root access.
Any additional thoughts on the subject?
Thanks.
Gary
I noticed some references to authbind as an alternative. However, it doesn't appear to be packaged within OpenWRT or Entware. I'd have to roll my own to test.
The last alternative I can think of is to give the application in question root access.
Any additional thoughts on the subject?
Thanks.
Gary
Last edited:
ColinTaylor
Part of the Furniture
I'm not really surprised that setcap didn't work. It probably needs the kernel to be compiled with some option enabled.
I was wondering why you weren't running it as root as that's the way almost everything runs by default. There are a couple of processes that spawn a non-root child process for security but most don't.
I was wondering why you weren't running it as root as that's the way almost everything runs by default. There are a couple of processes that spawn a non-root child process for security but most don't.
garycnew
Senior Member
@ColinTaylor
Security was the primary concern.
It seems functionality trumps security with Asuswrt.
As always, I appreciate your input.
Respectfully,
Gary
ColinTaylor
Part of the Furniture
Well at the risk of sounding like a broken record, Asuswrt is not a Linux distro. It's hardly surprising some features aren't enabled. The objective of Asuswrt is to be as lean as possible and not waste resource by enabling unused/unsupported features. Personally I wouldn't expose any router services to the internet other than OpenVPN. If I wanted to run a public facing service I'd put it on a "proper" machine and not my internet gateway/firewall device. /2cents
garycnew
Senior Member
The services in question are run on AiMesh Nodes within the private network.
Does setting the set uid on exec not work or is that too wide an attack surface for your needs?
garycnew
Senior Member
I suppose that would be a compromise to running the application as root. The preference would be to allow non-root binding to lower ports < 1024, but that doesn't seem plausible under Asuswrt.
I must admit I haven't worked with this kind of approach, the Linux package I maintain is run as root so I haven't needed to worry about this stuff.
So I don't know about how to drop privileges after doing the privileged things you need to do, if it means a lot to you it's probably worth doing a bit of searching on this topic before giving up.
It doesn't look too hard to do:
Linux Audit
We have a look on how to drop privileges for Linux daemons. By dropping privileges a process can be safeguarded against attacks and a successful compromise of the system.
linux-audit.com
garycnew
Senior Member
I believe port-forwarding might be the alternative workaround I've been searching for.
Thanks @ColinTaylor and @raven-au for your input.
Respectfully,
Gary
Thanks @ColinTaylor and @raven-au for your input.
Respectfully,
Gary
garycnew
Senior Member
@RMerlin
It seems there is quite the debate in the kernel world around the premise of this "security feature." I understand both sides of the debate and don't really have a strong opinion one way or the other on the matter.
I was simply trying to discern an answer with regard to its implementation and subjectiveness within Asuswrt, which you and others have confirmed.
I appreciate all that you do in the development and maintenance of one of the best wireless router platforms on the market and for weighing in on such a trivial question.
Thank You!
Respectfully,
Gary
It seems there is quite the debate in the kernel world around the premise of this "security feature." I understand both sides of the debate and don't really have a strong opinion one way or the other on the matter.
I was simply trying to discern an answer with regard to its implementation and subjectiveness within Asuswrt, which you and others have confirmed.
I appreciate all that you do in the development and maintenance of one of the best wireless router platforms on the market and for weighing in on such a trivial question.
Thank You!
Respectfully,
Gary
Similar threads
Similar threads
Similar threads
-
Prevent client from connecting to router but allow connection to internet via access point
- Started by swbrains
- Replies: 4
-
Allow admin web GUI access on another interface (tailscale0)
- Started by mr8
- Replies: 0
-
-
-
-
locked out of asus merlin (Administration > System > Only Allow Specific IP)
- Started by helios123
- Replies: 5
-
Forced to reboot router to allow my laptop to connect to wifi and some other devices to work properly
- Started by jacoscar
- Replies: 25
-
RT-AC88U - Firmware v386.11 does not allow connection to AC Infinity Controller 69 Pro
- Started by Arkitct
- Replies: 1
-
-