lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 15 Sep 2014 13:07:03 +0000 (UTC)
From:	Aleksei Besogonov <alex.besogonov@...il.com>
To:	linux-kernel@...r.kernel.org
Subject: Run a script with cap_net_bind_service - mission impossible.

Hi!

It seems that it's totally impossible to start a script with
cap_net_bind_service capability and as a non-root user without modifying
system-wide settings.

I've trawled the Net for a solution that should be exceedingly simple. I
want to run a daemon under a non-privileged account AND allow it to bind to
'secure' ports (443, 589 and 53). So far I found the following non-solutions:

- Use iptables to redirect ports. Doesn't work with local traffic.
- Use an HTTP proxy server (yeah, and also a DNS proxy server).
- Set cap_net_bind_service capability bit on the script interpreter (so
it'll break during upgrades). 
- Fuck you, run it under the root user. With several permutations like:
  * Dropping caps after opening sockets (can't do this)
  * Dropping all caps before starting the interpreter (fucks up the file
ownership)

I've tried without any luck various permutations of capsh like: capsh
--keep=1 --secbits=5 --user=cyberax --caps=cap_net_bind_service+eip -- -c
'nc -l 443'

So is it possible at all?

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists