Python: Bind to port 80 as root, then drop privileges?

10 More Discussions You Might Find Interesting

1. Infrastructure Monitoring

Monitoring tools that do NOT require root privileges

Hi guys, I am currently managing an application running on around 150 servers. I only have application usage rights on those servers and do not have any root privileges. I have an external node that can connect to those servers and I have root privileges on that one box. I want to setup...

2. UNIX for Dummies Questions & Answers

Can you gain root privileges if the suid program does not belong to root?

I had a question in my test which asked where suppose user B has a program with 's' bit set. Can user A run this program and gain root privileges in any way? I suppose not as the suid program run with privileges of owner and this program will run with B's privileges and not root.

3. Emergency UNIX and Linux Support

Proxmox dedicated Port forwarding issue Using Default Drop Chain filter

Hi Everyone, Hope all Doing good, we have a Dedicated server and its installed with proxmox VE 3.2, My Need is i want Protect my server and only i need to allow the specific port in the server, And i want to forward some of ports 22,80,443 to those VM's inside my dedicated...

4. HP-UX

User with root privileges in hp ux

hi, i am new in hp ux and i must create a user with root privileges and so i disable ssh connection from root login. thanks..

5. Solaris

Gaining root privileges

Hello I am a new (and only) administrator of a Solaris 10 environment. The previous admin gave me a use (say user123) that is supposed to have administrative privileges. Now the problem is, the user does not have this privilege! Here is what i tried so far: $ id uid=109(user123) gid=1(other)...

6. Shell Programming and Scripting

Privileges like root

My English is no very good. I must make a bash scripting sh create like a backdoor, and when execute the script a user without privileges convert in super user or root, whithout introducing the password. In Spanish: Crear un script que sirva como puerta trasera al sistema, de manera que al...

7. Linux

grant root privileges to ordinary user

Hi, Is it possible to grant root privileges to an ordinary user? Other than 'sudo', is there some way under Users/Groups configuration? I want ordinary user to be able to mount, umount and use command mt. /Brendan

8. UNIX for Dummies Questions & Answers

root privileges

Hello, As admin with root rights, to execute any command from another user without password-ask, I do : su - <user> -c "<cmd>" But how can I do to give the same rights to another physical user without using root user ? :confused: I've try to create another user "toor" with the same primary...

9. Programming

root privileges

Hi I have make a program that needs root privleges but any user can try to run it, so what I want it is, when any user tries( other than root ) to run the program, an input prompt would open to enter root password ( if user knows ) and program will run ( otherwise exit ), and after completing...

10. UNIX for Dummies Questions & Answers

Root privileges &Sudoer

Hi guys... how can a root assign a user all or most of the root privileges? is sudoer comand enough 4 this? thx alot..

LEARN ABOUT DEBIAN

privbind

privbind(1)															       privbind(1)

NAME

       privbind - allow an unprivileged application to bind with reserved ports.

SYNOPSIS

       privbind -u user [ -g group] [ -n num] [ -l path] command [ arguments ... ]

DESCRIPTION

       Normally  in Linux, only a superuser process can bind an Internet domain socket with a reserved port (port numbers less than 1024). Accord-
       ingly, server processes are typically run with superuser privileges, which can be dropped after binding the reserved port.

       privbind can execute an application as an unprivileged user with just one extra privilege: it can bind to reserved ports.

       privbind is useful in several situations. It can be used when the application is not trusted enough; It can be  used  when  the	server	is
       written	in a language without the setuid(2) feature (e.g., Java(TM)); It can also be used to run applications which don't manipulate their
       own user id and need to be able to bind to a reserved port without needing any other root privileges.

OPTIONS

       -u     The -u option is mandatory, and specifies under which user to run the given command.  The user can be specified using either a user-
	      name or a numeric user id.  It should be an unprivileged (non-root) user.

       -g     Specifies  the  group to switch to when running the given command. If this option is missing, then the given user's default group is
	      used.

       -n     privbind's default behaviour is to allow the application to call bind(2) with reserved ports an unlimited number of times. In  order
	      to do that (see "HOW IT WORKS" below), the privbind helper process needs to wait for the application to exit before it terminates.

	      The  -n num option tells privbind that it can assume that only num binds need to be given elevated privileges.  After this number of
	      bind(2) calls have been executed, privbind's helper process will exit, leaving behind only the unprivileged application running.

       -l     Mostly for internal use during build. Gives the explicit path to the LD_PRELOAD library.

       -h     Shows a short help screen, and exits.

EXIT STATUS

       Using technical jargon, privbind execs command as its main process, running itself in the background  (as  a  child  of	the  application's
       process).  The  practical upshot of this, in layman's terms, is that the user never sees privbind's exit status. When running privbind, the
       process will exit whenever, and with whatever exit status, command does.

       The above point should be particularly noted when using privbind to run daemons.

SECURITY CONSIDERATIONS

       privbind has no SUID parts, and runs within the confines of a single process.  This serves to minimize the security implications  of  using
       it.  It	is  strongly  advised that privbind not be made SUID, as this would allow any user that can run it to run any process as any other
       (non-root) user. At the moment privbind detects such a situation and warns about it, but will continue with the execution.

HOW IT WORKS

       In a nutshell, privbind works by starting two processes. One drops privileges and runs (exec(2)) the command, the other	remains  as  root.
       Privbind makes sure to keep a unix domain socket connecting the two processes.

       Privbind  uses  LD_PRELOAD  to intercept every call to bind(2) made by the program. Calls that can be completed non-privileged are done so.
       Calls that require root privileges are forwarded to the root process, that carry them out on the program's behalf.

       A more detailed explanation is available in the README file.

BUGS

       privbind currently uses "SOCK_SEQPACKET" for communication between privileged and non-privileged processes. This socket type is only imple-
       mented on Linux kernel 2.6.4 and later, which makes privbind none portable to older Linux kernels and many other non-Linux platforms.

VERSION

       The version of privbind described by this manual page is 1.0 (June 12, 2007)

COPYRIGHT

       Copyright (C) 2006-2007, Shachar Shemesh plus others. See the AUTHORS file.

       privbind was written by Shachar Shemesh, with contributions from Amos Shapira and Nadav Har'El.

       privbind  is  free  software, released under the GNU General Public License (GPL).  See the COPYING file for more information and the exact
       license terms.

       The latest version of this software can be found in

	   http://sourceforge.net/projects/privbind

       Java is a registered trademark of Sun Microsystems.

SEE ALSO

       su(1), sudo(8), capabilities(7), bind(2), setuid(2), ld.so(8), unix(7)

Privbind 0.1							    22 May 2007 						       privbind(1)

Shell Programming and Scripting