2

Does Authbind's helper really need setuid root, or can it run with the CAP_NET_BIND_SERVICES capability and still work?

slm
  • 363,520
  • 117
  • 767
  • 871
user314104
  • 359
  • 3
  • 11
  • Yet another missing tag; someone with enough privileges, please tag this with "authbind" – user314104 Feb 14 '14 at 02:22
  • We have ~36K Q's on the site and this is only the 2nd instance that has ever mentioned `authbind`. I've never even heard of this and I've been in the business for 20+ years so it's hardly a surprise that this tag doesn't exist. This is similar functionality to `capabilities` which is pretty widespread. – slm Feb 14 '14 at 02:39
  • Wow. Yeah, the concept behind `authbind` is similar to that of capabilities, but `authbind` existed before the support for capabilities in Linux... or so the Wikipedia article says. :) Unfortunately, Linux capabilities are a bit too ... /damaged/ for me to use directly. Combining authbind and capabilities, however, seems like the best of both worlds: I get to set permissions by uid (authbind) and I don't need set(e)uid root. – user314104 Feb 14 '14 at 14:19
  • I was probably more so surprised than you when I searched our site and didn't find but 2 references, including yours. In reading the wikipedia page it made sense and I've usd capabilities myself, but am a new Debian user so has taken aback that something like that had slipped through the cracks. – slm Feb 14 '14 at 14:22
  • Anywhoo, so in reading about it, it sounds like you have to have setuid to make it work. – slm Feb 14 '14 at 14:22
  • 1
    I'm thinking the helper process need not be set[e]uid; the only special privilege it needs is the service socket binding one. I'm currently experimenting with doing that, and it *seems* like that works. I'll have to do some more experiments to confirm, and possibly look at the source. – user314104 Feb 14 '14 at 16:49

1 Answers1

0

I found this excerpt in this thread titled: Bind to ports less than 1024 without root access.

excerpt

I dimly remember a library called "authbind" that does what you need, by wrapping the bind() system call (via a LD_PRELOAD library), and, if a privileged port is requested, spawning a setuid root program that receives a copy of the file descriptor, then verifies the application is indeed permitted to bind to the port, performs the bind() and exits.

slm
  • 363,520
  • 117
  • 767
  • 871
  • http://serverfault.com/questions/268099/bind-to-ports-less-than-1024-without-root-access | From the actual Stack Exchange site – user314104 Feb 14 '14 at 14:14
  • @user314104 - ha, that's funny, I thought the posts in the thread looked like a SE site but didn't think to search for the quote to find it. Nice sleuthing. – slm Feb 14 '14 at 14:19