Using low ports without root, capabilities, CAP_NET_BIND_SERVICE
Kenneth Porter
shiva at sewingwitch.com
Tue Nov 29 23:52:10 UTC 2005
I want to spawn a user process which can use low (< 1024) ports. Googling
around, I've determined that I need to spawn the process and grant it the
"capability" of CAP_NET_BIND_SERVICE (from
/usr/include/linux/capability.h). It looks like I need to use sucap,
execcap, or setpcaps. I haven't found any good examples showing how to
actually do this. (The binary is commercial with no source so I can't
compile in code to do this. At best I can write a wrapper.)
I tried using setpcaps to give the capability to a known bash process
running in a second window from a su session, and I get this:
# setpcaps CAP_NET_BIND_SERVICE=eip 11516
[caps set to:
= cap_net_bind_service+eip
]
Failed to set cap's on process `11516': (Operation not permitted)
What's going wrong? I see from some googling that the kernel may be
compiled to not give init the CAP_SETPCAP capability. Is that the situation
with Fedora kernels? Do I need a custom kernel? (I tried the latest kernel
on FC4 and also on a FC2 box.)
More information about the users
mailing list