Bind to ports less than 1024 without root access [duplicate]

I would like to run applications I'm working on that binds to port numbers less than 1000 without requiring root access.

I'm using Linux Mint and have root access to set it up. I would ideally like to be able to do it over SSH.

Also happy hear if it isn't possible or I shouldn't be doing it, if that is the case.

EDIT: Mostly I'm happy to use higher port numbers for development, but Flash is expecting a socket policy on port 843. Currently I have to run the app as root and therefore I can't run it from my Makefile which is a PITA.


Solution 1:

Another way of getting your daemon to respond to requests from a lower port number is to use iptables or similar to redirect a lower numbered port to the higher numbered port that your daemon is listening on:

sudo iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8080

Substitute 80 with the port to expose, and 8080 with your application listener port.

Solution 2:

Of course this is possible. You only need to give the binary CAP_NET_BIND_SERVICE.

sudo setcap cap_net_bind_service=ep some-binary

In Linux, the things root can do have been broken up into a set of capabilities. CAP_NET_BIND_SERVICE is the ability to bind to ports <= 1024.

It's probably even possible to use AppArmor, SELinux, or another Linux security module (LSM) to grant the program access to bind that one port specifically, but I think this would be a waste of time. Security is not really based on port numbers to the degree it was in the distant past.

Here's a script for OSX to forward ports 80 and 443 to unprivileged ports:

echo " 
rdr pass inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080
rdr pass inet proto tcp from any to any port 443 -> 127.0.0.1 port 8443
" | sudo pfctl -ef -