Make user or group own port

Question

In some situations a web application will talk to clients through a reverse proxy (e.g. Apache with mod_proxy) where the reverse proxy is listening on port 80 and the web application is listening on a port greater than 1023 (because root owns ports below 1024).

As mentioned in some answers to this question, any process could start listening on the high port if no other process has already started listening on it. This could be a problem if the web application has not started listening on the port yet, and some other process starts listening on it first, either on accident or maliciously.

Is there some way to make a user or group own a port, so that only the owner of the web application can start a process that listens on that port?

score 1 · Answer 1 · answered Apr 24 '16 at 11:36

1

Or you simply assign a fixed port in the reserved port range and grant your application the rights to bind to that port.

sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/application

answered Apr 24 '16 at 11:36

HBruijn

72,524
21
127
192

I'm hesitant to use cap_net_bind_service because I think then my web app owner could block other privileged ports. I'm hoping to keep the web app and root permissions as separate as possible. – David Winiecki Apr 25 '16 at 16:16

score 0 · Answer 2 · answered Apr 24 '16 at 09:29

0

If you have Selinux (not sure about AppArmor), you can most likely achieve this:

Make sure that only the context of that specific application can listen to that port and then make sure that only your desired user can start that application.

answered Apr 24 '16 at 09:29

Florin Asăvoaie

6,932
22
35

This sounds interesting but I'm hoping for an answer that applies to other Linux distros as well. – David Winiecki Apr 24 '16 at 16:57

Make user or group own port

2 Answers2