NAME¶
privbind - allow an unprivileged application to bind with reserved ports.
SYNOPSIS¶
privbind -u user [
-g group] [
-n
num] [
-l path]
command [
arguments ... ]
DESCRIPTION¶
Normally in Linux, only a superuser process can bind an Internet domain socket
with a reserved port (port numbers less than 1024). Accordingly, server
processes are typically run with superuser privileges, which can be dropped
after binding the reserved port.
privbind can execute an application as an unprivileged user with just one
extra privilege: it can bind to reserved ports.
privbind is useful in several situations. It can be used when the
application is not trusted enough; It can be used when the server is written
in a language without the
setuid(2) feature (e.g., Java(TM)); It can also be
used to run applications which don't manipulate their own user id and need to
be able to bind to a reserved port without needing any other root privileges.
OPTIONS¶
- -u
- The -u option is mandatory, and specifies under which user to run
the given command. The user can be specified using either a username or a
numeric user id. It should be an unprivileged (non-root) user.
- -g
- Specifies the group to switch to when running the given command. If this
option is missing, then the given user's default group is used.
- -n
- privbind's default behaviour is to allow the application to call
bind(2) with reserved ports an unlimited number of times. In order to do
that (see "HOW IT WORKS" below), the privbind helper
process needs to wait for the application to exit before it terminates.
The -n num option tells privbind that it can assume
that only num binds need to be given elevated privileges. After
this number of bind(2) calls have been executed, privbind's helper
process will exit, leaving behind only the unprivileged application
running.
- -l
- Mostly for internal use during build. Gives the explicit path to the
LD_PRELOAD library.
- -h
- Shows a short help screen, and exits.
EXIT STATUS¶
Using technical jargon,
privbind execs
command as its main
process, running itself in the background (as a child of the application's
process). The practical upshot of this, in layman's terms, is that the user
never sees
privbind's exit status. When running
privbind, the
process will exit whenever, and with whatever exit status,
command
does.
The above point should be particularly noted when using
privbind to run
daemons.
SECURITY CONSIDERATIONS¶
privbind has no SUID parts, and runs within the confines of a single
process. This serves to minimize the security implications of using it. It is
strongly advised that
privbind not be made SUID, as this would
allow any user that can run it to run any process as any other (non-root)
user. At the moment privbind detects such a situation and warns about it, but
will continue with the execution.
HOW IT WORKS¶
In a nutshell,
privbind works by starting two processes. One drops
privileges and runs (exec(2)) the command, the other remains as root.
Privbind makes sure to keep a unix domain socket connecting the two
processes.
Privbind uses LD_PRELOAD to intercept every call to
bind(2) made by the
program. Calls that can be completed non-privileged are done so. Calls that
require root privileges are forwarded to the root process, that carry them out
on the program's behalf.
A more detailed explanation is available in the README file.
BUGS¶
privbind currently uses "SOCK_SEQPACKET" for communication
between privileged and non-privileged processes. This socket type is only
implemented on Linux kernel 2.6.4 and later, which makes privbind none
portable to older Linux kernels and many other non-Linux platforms.
VERSION¶
The version of
privbind described by this manual page is 1.0 (June 12,
2007)
COPYRIGHT¶
Copyright (C) 2006-2007, Shachar Shemesh plus others. See the AUTHORS file.
privbind was written by Shachar Shemesh, with contributions from Amos
Shapira and Nadav Har'El.
privbind is free software, released under the GNU General Public License
(GPL). See the COPYING file for more information and the exact license terms.
The latest version of this software can be found in
http://sourceforge.net/projects/privbind
Java is a registered trademark of Sun Microsystems.
SEE ALSO¶
su(1),
sudo(8),
capabilities(7),
bind(2),
setuid(2),
ld.so(8),
unix(7)