Regular user using ports below 1024 [duplicate]

Is there a way on Linux (CentOS if that matters) to enable regular users to use ports below 1024? (open listening TCP socket on that port)

Currently I understand that only root has privileges to use those ports.


Not on CentOS 3/4/5 (Lack of filesystem capabilities):

You can set the CAP_NET_BIND_SERVICE capability to the program that needs to open this port. Root will set the capability on the executable, then any user may run that executable, it will be able to use ports <1024.

To set the capability on the executable:

setcap cap_net_bind_service=+ep /path/to/program

IIRC this is not possible, or if it is it is not recommended for security reasons.

But if you want users to be able to listen on a specific port you could always use a TCP forwarder like rinetd or iptables rules to redirect connections to that port to one they can listen on and have them set their service to listen on that higher port.

For instance the line

aa.bb.cc.dd    80      127.0.0.1   8000

in rinetd's configuration would forward connections to port 80 on address aa.bb.cc.dd to localhost port 8000 which a non privileged user can listen on. An equivalent iptables rule would be something like

/sbin/iptables -t nat -A PREROUTING -p tcp -d aa.bb.cc.dd --dport 80 -j DNAT --to 127.0.0.1:8000

Either way gives you much more fine grained control than letting any user listen on any port.

The iptables approach has the advantage that the listening application will see the IP address of the calling client (with the rinetd method it would see all connections as coming from the local host). The iptables method would also allow for UDP as well as TCP.