05-05-2009
permission to bind a socket to port 843?
I have written a flash socket security file server in PHP. The basic idea is that when Flash Player connects via socket to a server, the first thing it does is connect to port 843 and send a request for a 'socket policy file' by sending the string <policy-file-request/>.
The problem I have is that in order to launch this daemon script, I apparently need root level access in order to bind a socket to any port under 1024.
Can anyone recommend some way to let this php script bind to port 843 without needing root-level access? That seems like a big security risk to me -- especially if I want to launch this daemon using a php page hosted by apache. giving apache root-level access sounds like a VERY BAD idea.
10 More Discussions You Might Find Interesting
1. Programming
Does anyone know if it's possible to send socket by a serial port ?
If yes, how can I find on Irix the value of my serial ports to use with this function : serverSockAddr.sin_port = ?
Thanks for all responses !
Kintoo (2 Replies)
Discussion started by: kintoo
2 Replies
2. Solaris
We are making some changes, and are now using Weblogic as the webserver on one of my projects. I would like for the non root user running Weblogic to be able to bind to port 80. (10 Replies)
Discussion started by: 98_1LE
10 Replies
3. UNIX for Dummies Questions & Answers
I want my server socket to listen on two ports in my machine. How do i achieve it? I will have two clients one connecting to 1 port and another to a different port. So my server needs to listen to both.
Thanks. (1 Reply)
Discussion started by: abc.working
1 Replies
4. Programming
Hello everybody,
I've coded a multi-client server based on internet sockets using the scheme
listen on port X-accept-fork, exactly like beej's guide
At some point I would like to establish a secondary connection between a client and the server-child serving him.
I was considering the... (4 Replies)
Discussion started by: jonas.gabriel
4 Replies
5. UNIX for Dummies Questions & Answers
Hi,
1 more new comer with a small problem. I have a Java socket program which tries to bind to a particular socket. It works fine with windows. But in Linux, it says 'address in use'. I tried 'netstat' to find if the port is being used. But it is free. Can anyone help plz? (0 Replies)
Discussion started by: ronyantony
0 Replies
6. Shell Programming and Scripting
I have written a small web server in Python, and now I would like to run it on port 80, but in order to be able to bind to a port below 1024 I need to have root privileges. I don't want to run the server as root, though. How can I bind to port 80 as root and then drop root privileges?
Thankful... (0 Replies)
Discussion started by: Ilja
0 Replies
7. Programming
Can anyone tell what is the system API for VxWorks which is used to find GetLastError() for socket/bind failure.
I need to use it in some VxWorks application and need to call GetLastError but I'm not sure about the correct API.
Thanks in advance (1 Reply)
Discussion started by: anilgurwara
1 Replies
8. Programming
Hello,
I'm trying to write a small c application to test a tcp port. This works fine for the most part but the default timeout on the connect is very long. I have been reading many posts but and it looks like I need to set the socket to be non-blocking and poll for a result. I have been totally... (2 Replies)
Discussion started by: tjones1105
2 Replies
9. Shell Programming and Scripting
i need to come up with a script that when run from the command line, it will bind to a socket, and listen for tcp connections on a certain port.
something like:
### ./connection_listener 5666
i found the following script on the web but when i run it, it complains about "accept" not being... (1 Reply)
Discussion started by: SkySmart
1 Replies
10. IP Networking
Hello,
Please help me in getting the process id and the port number from the socket
netstat -Aan|grep -i closed
f100050010b133b8 tcp 0 0 *.* *.* CLOSED
f1000500119b53b8 tcp4 0 0 *.* *.* ... (3 Replies)
Discussion started by: Vishal_dba
3 Replies
LEARN ABOUT DEBIAN
mac_portacl
MAC_PORTACL(4) BSD Kernel Interfaces Manual MAC_PORTACL(4)
NAME
mac_portacl -- network port access control policy
SYNOPSIS
To compile the port access control policy into your kernel, place the following lines in your kernel configuration file:
options MAC
options MAC_PORTACL
Alternately, to load the port access control policy module at boot time, place the following line in your kernel configuration file:
options MAC
and in loader.conf(5):
mac_portacl_load="YES"
DESCRIPTION
The mac_portacl policy allows administrators to administratively limit binding to local UDP and TCP ports via the sysctl(8) interface.
In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must
not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs.
The mac_portacl policy only affects ports explicitly bound by a user process (either for a listen/outgoing TCP socket, or a send/receive UDP
socket). This policy will not limit ports bound implicitly for outgoing connections where the process has not explicitly selected a port:
these are automatically selected by the IP stack.
When mac_portacl is enabled, it will control binding access to ports up to the port number set in the security.mac.portacl.port_high
sysctl(8) variable. By default, all attempts to bind to mac_portacl controlled ports will fail if not explicitly allowed by the port access
control list, though binding by the superuser will be allowed, if the sysctl(8) variable security.mac.portacl.suser_exempt is set to a non-
zero value.
Runtime Configuration
The following sysctl(8) MIBs are available for fine-tuning the enforcement of this MAC policy. All sysctl(8) variables, except
security.mac.portacl.rules, can also be set as loader(8) tunables in loader.conf(5).
security.mac.portacl.enabled
Enforce the mac_portacl policy. (Default: 1).
security.mac.portacl.port_high
The highest port number mac_portacl will enforce rules for. (Default: 1023).
security.mac.portacl.rules
The port access control list is specified in the following format:
idtype:id:protocol:port[,idtype:id:protocol:port,...]
idtype Describes the type of subject match to be performed. Either uid for user ID matching, or gid for group ID matching.
id The user or group ID (depending on idtype) allowed to bind to the specified port. NOTE: User and group names are not
valid; only the actual ID numbers may be used.
protocol Describes which protocol this entry applies to. Either tcp or udp are supported.
port Describes which port this entry applies to. NOTE: MAC security policies may not override other security system policies by
allowing accesses that they may deny, such as net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh. If
the specified port falls within the range specified, the mac_portacl entry will not function (i.e., even the specified
user/group may not be able to bind to the specified port).
security.mac.portacl.suser_exempt
Allow superuser (i.e., root) to bind to all mac_portacl protected ports, even if the port access control list does not explicitly
allow this. (Default: 1).
security.mac.portacl.autoport_exempt
Allow applications to use automatic binding to port 0. Applications use port 0 as a request for automatic port allocation when bind-
ing an IP address to a socket. This tunable will exempt port 0 allocation from rule checking. (Default: 1).
SEE ALSO
mac(3), ip(4), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_mls(4), mac_none(4), mac_partition(4), mac_seeotheruids(4), mac_test(4),
mac(9)
HISTORY
MAC first appeared in FreeBSD 5.0 and mac_portacl first appeared in FreeBSD 5.1.
AUTHORS
This software was contributed to the FreeBSD Project by NAI Labs, the Security Research Division of Network Associates Inc. under
DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program.
BSD
December 9, 2004 BSD