3

This question is purely hypothetical. Is it possible to restrict which ports certain users may use for their processes? Say users1 gets ports 8000-8999 and user2 gets ports 9000-9999.

I am running Ubuntu 11.10.

knpwrs
  • 357
  • 1
  • 4
  • 14
  • 1
    I think you are talking about TCP/UDP ports. Are these source (listening) or destination ports? Only super user can start processes listening on low port numbers < 1024. – Khaled Dec 26 '11 at 09:48
  • Yes, I am aware of the ports below 1024. I would like to have more control over the ports higher than that as to avoid any possible conflicts e.g. somebody has something running on 9001 and takes it down momentarily -- meanwhile somebody else takes port 9001 for their own purpose. – knpwrs Dec 26 '11 at 09:53

2 Answers2

0

The only Linux native application that can handle this kind of restriction might be SElinux, which is part of the Ubuntu distribution. SElinux is well complicated and I am not sure how you would implement port restrictions on a per user bassis. That will be between you and Google.

This discussion mentions two kernel patches (GRsecurity and TOMOYO) which specifically allow port restrictions at the application level, although the discussion includes reference to per user port restriction.

Lastly, I have seen links to another kernel patch called 'user-port-hack' but its project page is not forthcoming and one kernel post mentions that it is for kernel 2.4 only. Perhaps you can dig for that.

A left field solution I can see for your requirement is to simply ask users to conform to a policy. i.e. "User X, please only use ports 8000-8999."

Alternatively, if your users insist on using ports other than the 1000 they have been allocated, you could isolate users to their own dedicated virtual machines and then implement firewall/iptables rules at the host level to limit the traffic to a certain port range for each VMs IP address.

venzen
  • 155
  • 6
0

You should consider using iptables with the owner module. I've never tried it in this exact situation, but it seems to answer your question.

Wesley
  • 32,320
  • 9
  • 80
  • 116
Dom
  • 6,628
  • 1
  • 19
  • 24
  • The iptables user match only works for OUTPUT chain so I don't think it's a good solution. Your app will be able to open the port and receive data but NOT sending. It really depends on the protocol you use through this port (http, ...). If the protocol you use needs negociation/exchange before being able to be used, you can use this... – Tristan CHARBONNIER Feb 28 '22 at 06:00