lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 15 Sep 2014 13:07:03 +0000 (UTC)
From:	Aleksei Besogonov <>
Subject: Run a script with cap_net_bind_service - mission impossible.


It seems that it's totally impossible to start a script with
cap_net_bind_service capability and as a non-root user without modifying
system-wide settings.

I've trawled the Net for a solution that should be exceedingly simple. I
want to run a daemon under a non-privileged account AND allow it to bind to
'secure' ports (443, 589 and 53). So far I found the following non-solutions:

- Use iptables to redirect ports. Doesn't work with local traffic.
- Use an HTTP proxy server (yeah, and also a DNS proxy server).
- Set cap_net_bind_service capability bit on the script interpreter (so
it'll break during upgrades). 
- Fuck you, run it under the root user. With several permutations like:
  * Dropping caps after opening sockets (can't do this)
  * Dropping all caps before starting the interpreter (fucks up the file

I've tried without any luck various permutations of capsh like: capsh
--keep=1 --secbits=5 --user=cyberax --caps=cap_net_bind_service+eip -- -c
'nc -l 443'

So is it possible at all?

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists