-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprivbind.html
272 lines (204 loc) · 7.33 KB
/
privbind.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta name="keywords" content="Yaws"/>
<title>Yaws</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<link rel="stylesheet" type="text/css" href="stil.css"/>
<link rel="shortcut icon" href="/icons/yaws_y.gif" type="image/x-icon"/>
</head>
<body>
<div class="logo">
<img src="icons/yaws_head.gif" width="600" alt="YAWS"/>
</div>
<div id="sidebar">
<h4> Yaws </h4>
<div class=""> <a href="index.html" id="index" >Top Page</a> </div>
<div class=""> <a href="configuration.html" id="configuration">Build Config and Run</a></div>
<div class=""> <a href="dynamic.html" id="dynamic" >Dynamic Content</a> </div>
<div class=""> <a href="https://github.com/erlyaws/yaws/releases/" id="download">Download </a> </div>
<div class=""> <a href="contact.html" id="contact">Contact </a> </div>
<div class=""> <a href="doc.html" id="doc">Documentation</a> </div>
<div class=""> <a href="articles.html" id="resources">Articles</a> </div>
<h4> Examples </h4>
<div class=""> <a href="/json_intro.html">AJAX/JSON RPC</a></div>
<div class=""> <a href="/appmods.html">Appmods</a> </div>
<div class=""> <a href="/arg.html">Arg</a> </div>
<div class="choosen"> <a href="/privbind.html">Binding to Privileged Ports</a></div>
<div class=""> <a href="/bindings.html">Bindings</a> </div>
<div class=""> <a href="/cgi.html">CGI</a></div>
<div class=""> <a href="/session.html">Cookie Sessions</a> </div>
<div class=""> <a href="/cookies.html">Cookies</a> </div>
<div class=""> <a href="/dynamic.html">Dynamic Content</a> </div>
<div class=""> <a href="/embed.html">Embedding Yaws</a></div>
<div class=""> <a href="/upload0.html">File Upload</a> </div>
<div class=""> <a href="/form.html">Forms</a> </div>
<div class=""> <a href="/haxe_intro.html">haXe Remoting</a></div>
<div class=""> <a href="/pcookie.html">Persistent Cookies</a> </div>
<div class=""> <a href="/query.html">Query Part of URL</a></div>
<div class=""> <a href="/rebar_release.html">Rebar Releases</a></div>
<div class=""> <a href="/redirect.html">Redirect</a> </div>
<div class=""> <a href="/server_sent_events.html">Server-Sent Events</a> </div>
<div class=""> <a href="/ssi.html">Server Side Includes</a> </div>
<div class=""> <a href="/simple.html">Simple</a> </div>
<div class=""> <a href="/soap_intro.html">SOAP with Yaws</a></div>
<div class=""> <a href="/stream.html">Streaming Data</a> </div>
<div class=""> <a href="/websockets.html">Web Sockets</a> </div>
<a href="/shoppingcart/index.html">Tiny Shopping Cart</a>
<div class=""> <a href="/yapp_intro.html">Yaws Applications (yapps)</a></div>
<div class=""> <a href="/logger_mod.html">Write Your Own Logger</a></div>
<h4> Misc </h4>
<div class=""> <a href="/internals.html">Internals</a> </div>
</div>
<div id="entry">
<h1>Binding to privileged ports</h1>
<p>
A common misfeature found on UN*X operating systems is the
restriction that only root can bind to ports below 1024.
Many a dollar has been wasted on workarounds and -often- the results are
security holes.
</p>
<p>
Both FreeBSD and Solaris have elegant configuration options to
turn this feature off. On FreeBSD:
<div class="box">
<pre>
$ sysctl net.inet.ip.portrange.reservedhigh=0
</pre>
</div>
the above is best added to your /etc/sysctl.conf
</p>
<p>
Similarly on Solaris we can just configure away this misfeature.
Assuming we want to run Yaws/SSL under a non-root user "erlang" on
ports 80/443.
</p>
<p>
On Solaris we can do that easily by granting the specific right to bind
privileged ports <1024 (and only that) to "erlang" using:
</p>
<div class="box">
<pre>
$ /usr/sbin/usermod -K defaultpriv=basic,net_privaddr erlang
</pre>
</div>
<p>
And check the we get what we want through:
</p>
<div class="box">
<pre>
$ grep erlang /etc/user_attr
erlang::::type=normal;defaultpriv=basic,net_privaddr
</pre>
</div>
<p>
On Linux, kernels later than 2.6.24, it's possible to do:
</p>
<div class="box">
<pre>
$ setcap 'cap_net_bind_service=+ep' /usr/lib/erlang/erts-5.7.4/bin/beam
</pre>
</div>
<p>
The above command grants the capability of binding
privileged ports to beam. Note, you have to grant the priviliges to the
actual exectuable you are using.
<p>
<p>
There are a couple
of other options on Linux. One is to use an auxiliary program
like authbind <em>https://packages.debian.org/stable/authbind</em>
or privbind <em>https://sourceforge.net/projects/privbind/</em>
</p>
<p>
These programs are run by root. Yaws writes its temporary
JIT compiled files in $HOME/.yaws and this doesn't work that
well with authbind/privbind. A non root user will try to
write in /root/.yaws. The solution to this is to set the
environment variable YAWSHOME. Yaws will then consider that to
be HOME rather that $HOME.
</p>
<p>
To start yaws under e.g privbind we can do:
</p>
<div class="box">
<pre>
$ sudo YAWSHOME=/tmp/abc privbind -u klacke /home/klacke/bin/yaws \
-c /home/klacke/yaws.conf -i
</pre>
</div>
<p>
The above command starts yaws as user <em>klacke</em> and bind
to ports below 1024
</p>
<p>
The authbind program is another option: Here is an example:
</p>
<div class="box">
<pre>
touch /etc/authbind/byport/80
touch /etc/authbind/byport/443
chmod 500 /etc/authbind/byport/80
chmod 500 /etc/authbind/byport/443
chown bob /etc/authbind/byport/80
chown bob /etc/authbind/byport/443
YAWSHOME=/home/bob authbind yaws -c /home/bob/yaws.conf -i
</pre>
</div>
<p>
Here is a description on how to do this on MacOs X. It's not exactly the same,
since we're still binding to non privileged ports. However,
edit /etc/sysctl and add:
</p>
<pre>
net.inet.ip.forwarding=1
</pre>
<p>
Then with ipfw as the firewall (turn off the gui firewall in system
preferences and manage own rules) use the ipfw rules like these - for
testing on your own box use something like:
</p>
<pre>
ipfw add fwd 127.0.0.1,8080 tcp from any to 127.0.0.1 dst-port 80 in
ipfw add fwd 127.0.0.1,8443 tcp from any to 127.0.0.1 dst-port 443 in
</pre>
<p>
set up yaws to use 8080 and 8443 in yaws.conf and then run as some non
root user. When you browse to http://127.0.0.1 or https://127.0.0.1
you will see your pages that are actually on 8080 and 8443 internally
but will be forwarded via ipfw forwarding.
</p>
<p>
Yet another (more complicated way) for linux users is to hack the kernel.
Here is a patch I did for some version of the 2.6 series kernels .. you get the idea.
</p>
<pre>
[root@lax]ipv4 > diff -c af_inet.c*
*** af_inet.c Wed Feb 23 23:31:35 2005
--- af_inet.c~ Thu Feb 17 18:13:13 2005
***************
*** 423,434 ****
snum = ntohs(addr->sin_port);
err = -EACCES;
- #if 0
- /* removed by klacke */
if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
goto out;
- #endif
-
/* We keep a pair of addresses. rcv_saddr is the one
* used by hash lookups, and saddr is used for transmit.
--- 423,430 ----
</pre>
<div class="logo">
<img src="/icons/yaws_pb.gif" alt="pbyaws" />
</div>
<p>
<a href="https://validator.w3.org/check?uri=referer"><img
src="https://www.w3.org/Icons/valid-xhtml10"
alt="Valid XHTML 1.0!" height="31" width="88" /></a>
</p>
</body>
</html>