![]() ![]() # Copy the kernel config file you are currently using # Apply the changes to PROT_SOCK define in /include/net/sock.h # You can get the kernel-source via package `linux-source`, no manual download required 79 for http, or 24 when using SMTP on port 25.įinished - that stupid limit is GONE, and that also works for scripts. Generally, I'd use the lowest setting that you need, e.g. If you don't want to have an insecure ssh situation, you alter it to this: #define PROT_SOCK 24 There you look for this line /* Sockets 0-1023 can't be bound to unless you are superuser */ You just download the source for the latest kernel (or the same you currently have).Īfterwards, you go to: /usr/src/linux-/include/net/sock.h: Nobody said you have to run a normal kernel, so you can just run your own. I'm also pretty sure xinetd isn't the best of ideas.īut since both methods are hacks, why not just lift the limit by lifting the restriction ? Obviously, that then means any Java program can bind system ports. for Java, you have to apply it to the JAVA JVM sudo /sbin/setcap 'cap_net_bind_service=ep' /usr/lib/jvm/java-8-openjdk/jre/bin/java Of course CAP_NET_BIND_SERVICE will fail if you launch your program from a script, unless you set the cap on the shell interpreter, which is pointless, you could just as well run your service as root.Į.g. With a normal or old kernel, you don't.Īs pointed out by others, iptables can forward a port.Īs also pointed out by others, CAP_NET_BIND_SERVICE can also do the job. (optionally specifying -deep or other arguments, see man authbind): authbind -deep /path/to/binary command line argsĪs a follow-up to Joshua's fabulous (=not recommended unless you know what you do) recommendation to hack the kernel: Supports both IPv4 and IPv6 ( IPv6 support has been added as of late).Ĭonfigure access to relevant ports, e.g. User/group and provides control over per-port access, and
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |