How can I open port 80 so a non-root process can bind to it?

I want to run a web server on my Mac as a non-root process. Normally only root processes can bind to port 80 (or to any port below 1024).

Can I open port 80 specifically so that non-root processes can listen on it?


Solution 1:

This is difficult to do by design, and unless you have root access to your machine none of the following will work as they require root to setup the changes. Once changed, though, userspace programs will have access without having root.

There are two common ways to accomplish this, and which you choose will depend on why you're trying to work around the restriction:

Point port 80 to another port, such as 8080

By reconfiguring your machine to pass all port 80 traffic to port 8080, or any port of your choosing, then you can allow user space servers to receive root privilege ports in the area they are given access to.

The process is straightforward:

Step 1: View current firewall rules.

sudo ipfw show

Step 2: Add port forwarding rule (80 to 8080)

sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any 80 in

If you want to remove your firewall rules run:

sudo ipfw flush

(source)

This is a temporary change, and will revert once you reboot, or flush as indicated int he last line.

You can make the change permanent, or you could add the command as a startup line prior to starting your server, which is probably safer from the standpoint of security.

Use Authbind

Authbind was designed specifically to allow one program access to lower level ports without giving it full root access.

There is a MacOSX port:

https://github.com/Castaglia/MacOSX-authbind

It may still be limited to IPv4 traffic, though, so you may have to do some additional investigation to find if it meets your needs

Solution 2:

You can use ncat to forward traffic from a web server running on some other port:

sudo ncat -l -p 80 -c ' ncat -l -p 1234'

This will forward traffic on port 80 to localhost:1234. This is a bit of a kludge however, I wouldn't use it anywhere beyond quick testing and definitely not in production.

Note that this won't allow a non-root process to bind to it, but by picking a port the process can bind to, 1234 in this example, it will look like it is bound to port 80. This is doing the equivalent of forwarding port 80 to port 1234 with a firewall, but on a far more temporary basis.