Using low ports without root, capabilities, CAP_NET_BIND_SERVICE
From: Kenneth Porter (shiva_at_sewingwitch.com)
Date: 11/30/05
- Previous message: Robert Spangler: "Re: Firewalled/NATted with BitTorrent GUI 4.2.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 29 Nov 2005 15:52:10 -0800 To: For users of Fedora Core releases <fedora-list@redhat.com>
I want to spawn a user process which can use low (< 1024) ports. Googling
around, I've determined that I need to spawn the process and grant it the
"capability" of CAP_NET_BIND_SERVICE (from
/usr/include/linux/capability.h). It looks like I need to use sucap,
execcap, or setpcaps. I haven't found any good examples showing how to
actually do this. (The binary is commercial with no source so I can't
compile in code to do this. At best I can write a wrapper.)
I tried using setpcaps to give the capability to a known bash process
running in a second window from a su session, and I get this:
# setpcaps CAP_NET_BIND_SERVICE=eip 11516
[caps set to:
= cap_net_bind_service+eip
]
Failed to set cap's on process `11516': (Operation not permitted)
What's going wrong? I see from some googling that the kernel may be
compiled to not give init the CAP_SETPCAP capability. Is that the situation
with Fedora kernels? Do I need a custom kernel? (I tried the latest kernel
on FC4 and also on a FC2 box.)
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Robert Spangler: "Re: Firewalled/NATted with BitTorrent GUI 4.2.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
