From: daw@cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2.6.18 try 2] net/ipv4: sysctl to allow non-superuser to bypass CAP_NET_BIND_SERVICE requirement
Date: Fri, 22 Sep 2006 08:59:12 +0000 (UTC) [thread overview]
Message-ID: <ef08l0$avn$1@taverner.cs.berkeley.edu> (raw)
In-Reply-To: 736CE60D-FB88-4246-8728-B7AC7880B28E@atheme.org
William Pitcock wrote:
>This patch allows for a user to disable the requirement to meet the
>CAP_NET_BIND_SERVICE capability for a non-superuser. It is toggled by
>the net.ipv4.allow_lowport_bind_nonsuperuser sysctl value.
Can't you provide this functionality (in a non-transparent way) through
user-space code alone? I'm thinking of a setuid-root program that
takes a port number as argv[1], binds to that port, dup()s the new
file descriptor onto fd 0 (say), drops root, and then forks and execs
a program specified on argv[2]. If you want to get fancy, instead of
exec-ing, you could use the standard trick to pass the file descriptor
over a Unix domain socket to some other process. Seems like you should
be able to make something like this work, as long as you're willing to
make small modifications to the program that uses the low port. Does
that work?
next prev parent reply other threads:[~2006-09-22 8:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-22 6:25 [PATCH 2.6.18 1/1] net/ipv4: sysctl to allow non-superuser to bypass CAP_NET_BIND_SERVICE requirement William Pitcock
2006-09-22 7:31 ` [PATCH 2.6.18 try 2] " William Pitcock
2006-09-22 7:41 ` YOSHIFUJI Hideaki / 吉藤英明
2006-09-22 8:22 ` William Pitcock
2006-09-22 8:27 ` William Pitcock
2006-09-22 18:04 ` David Miller
2006-09-22 8:59 ` David Wagner [this message]
2006-09-22 9:19 ` William Pitcock
2006-09-22 9:37 ` David Wagner
2006-09-22 11:55 ` [PATCH 2.6.18 1/1] " Rolf Eike Beer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='ef08l0$avn$1@taverner.cs.berkeley.edu' \
--to=daw@cs.berkeley.edu \
--cc=daw-usenet@taverner.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox