Re: Tool for getting non-root processes to use ports <1024 - any interest?



Bjoern Schliessmann wrote:
Arnold Hendriks wrote:

Did I reinvent the wheel? If so, I would rather share an existing
solution, since it saves me some work convincing others that the
source code to this root-running process is safe.

Not sure if it works on any POSIX platform, but in GNU/Linux a
daemon like that would normally be started as root, do anything it
needs that can only be done as root, and then drop root privileges
and run as some special user.

True, but then still...
a) you need to confirm that all code leading up to suid(non-0) is safe
b) you might need to convince the admin the code itself _is_ safe, which might be an issue if the application itself is not open source, as it is in my case
c) allowing non-root users to upgrade/maintain the daemon would be insecure, as upgrading the privilege-dropping daemon would allow root access if you can convince the admin/kernel to reboot the system.

Privilege dropping works in many cases, but not if you want an application to be maintained and upgraded by non-root users. As we also have to maintain the software on systems where I don't have root access (or more specifically, I don't _want_ root access), I wrote an easier-to-verify small tool to control and hand out access to the privileged ports.
.