|
|
Sponsored Content
Operating Systems
Solaris
Non-root user access to privileged ports-Solaris 8
Post 302342851 by naw_deepak on Tuesday 11th of August 2009 01:30:17 AM
08-11-2009
|
|
10 More Discussions You Might Find Interesting
1. Cybersecurity
I need to set up an application to run in a script which will be running as a web server but is a database. I need to allow users to use the web server but the app must be run as root in order for the ports to be accessible. This is not a very secure environment would like to know how this could... (2 Replies)
Discussion started by: rpollard
2 Replies
2. UNIX for Advanced & Expert Users
Hi friends,
I am having ibm pseries615c3 server. previously i set privileged access password for the firmware. Now i forgot that password. Help me to reset or remove the firmware password from the server. Otherwise anyone plz help me how to change the default boot device in pseries servers. I... (8 Replies)
Discussion started by: muthulingaraja
8 Replies
3. HP-UX
Hi
I have been asked to find out how to
1) create users
2) reset passwords
3) kill processes that may require root privileges
without having root password, sudo rights or rights to passwd command
Any ideas?
Thanks in advance (1 Reply)
Discussion started by: emealogistics
1 Replies
4. Solaris
Dear
i have installed Solaris 10 on SUN V240
after installation i can not access system through root user
if i access system through any other user it conects but root is not connecting through LAN
if i connect through SC and then access root though cosole -f command it also works
kindly... (6 Replies)
Discussion started by: rizwan225
6 Replies
5. Shell Programming and Scripting
Hi,
I need to access a user's command history. However, the dilemma is that he is logged in and so his current history is not yet flushed to .bash_history file which gets flushed when he logs out. Is there a way I can still access his most recent history?
thank you,
S (4 Replies)
Discussion started by: sardare
4 Replies
6. UNIX for Dummies Questions & Answers
hi
i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help
Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies
7. Linux
How to create a user account on a Linux desktop machine with restrictions on connecting to the LAN, WAN, PCMCIA ports, Firewire, CDROM and generally any user controllable output options?
I have the task to set up a machine for users working with sensitive data that should not be leaving the... (1 Reply)
Discussion started by: netfreighter
1 Replies
8. Shell Programming and Scripting
Currently in my system Red Hat is installed. And Many user connect to my machine via SSH Techia Terminal.
I want to give some users a root level access.
Can anyone please help me how to make it possible. I too searched on the Google but didn't find the correct way
Regards
ADI (4 Replies)
Discussion started by: adisky123
4 Replies
9. AIX
Hi,
I am trying to implement a service on AIX based on ONCRPC protocal and I want to use a RPC library called oncrpc4j because it is a non-blocked i/o library. I found it works fine on my work machine (WIndows 7) but failed on my AIX work station. The author of oncrpc4j told me that check that... (1 Reply)
Discussion started by: derekhsu
1 Replies
10. Solaris
Hello,
It is Solaris-10. There is a file as /opt/vpp/dom1.2/pdd/today_23. It is always generated by root, so owned by root only.
This file has to be deleted as part of application restart always and that is done by app_user and SA is always involved to do rm on that file.
Is it possible to give... (9 Replies)
Discussion started by: solaris_1977
9 Replies
LEARN ABOUT DEBIAN
innbind
INNBIND(8) InterNetNews Documentation INNBIND(8) NAME
innbind - Helper program to bind sockets to privileged ports SYNOPSIS
innbind [-p] fd,family,address,port [...] DESCRIPTION
innbind is a helper program that's not meant to be run directly. Instead, innd and nnrpd use it internally to bind to ports that require root privileges to bind to. This program must be installed setuid root in order for innd or nnrpd to bind to ports under 1024. The only functions that it's willing to perform are to bind an open file descriptor to a given address and port or to create a new socket, bind it, and return the bound socket to its caller. It can only be run as the news user (as specified at configure time), and will only bind to ports 119, 433, 563, an additional port specified with the --with-innd-port argument to configure, or ports numbered 1024 or higher. Each argument to innbind must be a comma-separated list of four elements. The first is the file descriptor number that should be bound, the second is the numeric family of the socket (AF_INET or AF_INET6), the third is the local address to bind to (in dotted-quad format for IPv4 and in colon-separated address format for IPv6), and the fourth is the port number. To bind to all addresses with IPv4, use 0.0.0.0 as the address. To bind to all addresses with IPv6, use "::" as the address. Multiple arguments can be specified to tell innbind to bind multiple sockets at the same time. Any errors (other than permission denied -- see below) encountered will cause innbind to abort, and error messages will be sent both to syslog and to standard error. By default, innbind attempts to just bind the already open file descriptor that it inherits from its caller. For each successfully bound file descriptor (in the order given on the command line), innbind prints "ok" and a newline to its standard output. On some systems (apparently just STREAMS-based systems), however, even a setuid root program cannot bind a socket to a privileged port that was created by a process that didn't have permissions. If innbind gets permission denied when trying to bind a socket, it will print "no" and a newline to its standard output. It will then create a new socket, bind it as specified, and then attempt to pass that socket back to its caller using the I_SENDFD STREAMS ioctl. The caller should receive that file descriptor with I_RECVFD and use it instead of the one that it created. Note that file descriptor passing is only supported on STREAMS-based systems since it is done with ioctls over a pipe. However, it is believed that those systems are exactly the systems that can't simply bind the inherited file descriptor. If this assumption proves to be incorrect, traditional BSD file descriptor passing over a Unix domain socket will have to be added. OPTIONS
-p If given as the first command-line argument, no attempt will be made to bind the inherited file descriptor and innbind will only try creation of a new file descriptor and passing it back via standard output. This option is primarily useful for testing. SECURITY
As innbind is normally installed setuid root, security is even more of an issue for it than for other parts of INN. It is a fairly short program, and if you understand C, you are encouraged to audit it yourself to be certain that it does only what it is supposed to do. The only INN library functions it uses are the vector functions, the message functions for error reporting, and xstrdup. The ports that will be bound are restricted to prevent potential attacks made possible by the ability to bind low-numbered ports, such as exploits of the rsh(1) family of commands on some systems. If innbind is installed setuid root, it can only be executed by the news user to prevent other users on the system from being able to bind to even those few privileged ports that it allows. innbind uses no external configuration files; the only files it might open are through the system getpwnam(3) service to get the UID of the news user. The only user input that it accepts are its command-line arguments. DIAGNOSTICS
innbind may log the following messages to syslog and print them to standard error. cannot create socket for %s: %s (Fatal) innbind fell back on attempting to create a new socket to bind for the given argument, and the socket creation failed. cannot bind socket for %s: %s (Fatal) Calling bind for the socket corresponding to the given argument failed with a system error. If the error indicates permission denied, make sure that innbind is setuid root. This can also be caused by trying to use IPv6 on a system whose kernel does not support it. cannot bind to restricted port %hu in %s (Fatal) The port number portion of the given command-line argument is for a port below 1024 which is not 119, 433, 563, or a port given to --with-innd-port at configure time. Other ports are not allowed for security reasons. cannot get socket options for file descriptor %d: %s (Fatal) innbind was unable to get the socket options for that file descriptor. The most likely cause of this error is passing the wrong file descriptor number to innbind (a file descriptor that isn't open, or that corresponds to a regular file rather than a network socket). cannot get UID for %s (Fatal) innbind was unable to get the UID for the news user specified during configure (and defaulting to "news"). This normally means that user isn't in the system passwd file. cannot mark socket reusable for %s: %s (Fatal) innbind created a new socket for the given argument but was unable to mark its bind address reusable (the SO_REUSEADDR socket option). cannot pass file descriptor: %s (Fatal) innbind created and bound a new file descriptor but was unable to pass it back to its caller via its standard output, using the I_SENDFD STREAMS ioctl. invalid file descriptor %d: not SOCK_STREAM (Fatal) The given file descriptor is not a SOCK_STREAM socket. innbind can only bind SOCK_STREAM sockets. invalid IPv4 address %s in %s (Fatal) The IPv4 address specified in the given command-line option could not be parsed by inet_aton(3). IPv4 addresses should be specified in the standard dotted-quad format (10.2.3.4). invalid IPv6 address %s in %s (Fatal) The IPv6 address specified in the given command-line option could not be parsed by inet_pton(3). IPv6 addresses should be specified in RFC 4291 format (1080:0:0:0:8:800:200C:417A or 1080::8:800:200C:417A). invalid command-line argument %s (Fatal) The specified command-line argument could not be parsed or was not in the correct format. invalid file descriptor %s in %s (Fatal) The file descriptor portion of the given command-line argument is not a non-negative integer. invalid port number %s in %s (Fatal) The port number portion of the given command-line argument is not a non-negative integer. invalid protocol family %s in %s (Fatal) The protocol family portion of the given command-line argument is not a non-negative integer. It should be equal to either AF_INET or AF_INET6 on the system where innbind is run. must be run by user %s (%lu), not %lu (Fatal) When setuid root, innbind may only be run by the news user as specified at configure time ("news" by default), for security reasons. no addresses specified (Fatal) No arguments were given on the command line (except maybe -p). port may not be zero in %s (Fatal) The port number portion of the given command-line argument was zero. unknown protocol family %s in %s (Fatal) The protocol number portion of the given command-line argument is neither AF_INET nor AF_INET6. EXAMPLES
As mentioned above, innbind is never run directly, only by innd and other programs that need to bind to and listen to network ports. Sample invocations by innd would be: innbind 3,10,::,119 to bind the IPv6 socket on file descriptor 3 to port 119, all addresses, or: innbind 6,2,10.0.0.3,433 to bind the IPv4 socket on file descriptor 6 to port 433 in the address 10.0.0.3. HISTORY
Written by Russ Allbery <rra@stanford.edu> for InterNetNews. $Id: innbind.pod 8894 2010-01-17 13:04:04Z iulius $ SEE ALSO
inet_aton(3), inet_pton(3), innd(8), nnrpd(8). INN 2.5.3 2010-02-08 INNBIND(8)