On Thu, 7 Feb 2013, Thomas Goirand <z...@debian.org> wrote: > > I think he's referring to allowing processes which require listening to a > > port under 1024 to run without superuser privileges. I believe our > > implementation on Debian (e.g. Apache) is to have the process start as > > root, start listening, and then setuid to an unprivileged user. > > Which would be the wrong way of doing things / wrong reason > for using root as running user, since you can set the > CAP_NET_BIND_SERVICE capability... (man capabilities ...)
Such capabilities allow the process to bind to all low ports, which usually isn't what you desire. If you want to permit a daemon to bind to exactly one reserved port and no others then it seems that the options are systemd (if the daemon supports socket based activation) and SE Linux. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201302071028.28586.russ...@coker.com.au
