Sign in to follow this  
jackknack

[SDL] Socket oeffnen ohne root Rechte

Recommended Posts

Hi, ich hab hier ne nette SDL Anwendung unter Linux programmiert. Diese öffnet einen UDP-Socket. Dafür sind aber root-Rechte von Nöten, was ja ein erhebliches Sicherheitsrisiko darstellt. Was muss ich tun, um die Anwendung als normaler User starten zu können? MfG jackknack

Share this post


Link to post
Share on other sites
here is what i got from babelfish:

Rear one, I here ne nice SDL application under Linux programmed. This opens a UDP Socket. However are root-right of emergencies, which represents a substantial safety risk. What do I have to do, in order to be able to start application as a normal user? MfG jackknack

Share this post


Link to post
Share on other sites
"I programmed a nice SDL application under Linux here. This opens a UDP Socket. However are root-(permissions??), which represents a substantial safety risk. What do I have to do, in order to be able to start application as a normal user?"

That's as close as I understand...

Share this post


Link to post
Share on other sites
I suspect the AP is correct here. Ports between 0-1023 are only usable by root, and the rest of the range is open to everybody.

Share this post


Link to post
Share on other sites
Thank you guys.
I thought this was a german forum. Thank you for translation.

Is there any way to use a port number lesser than 1024 without root-privileges (except kernel-hacking ;-) )?

greetings jackknack

Share this post


Link to post
Share on other sites
There are a number of ways.

One is to install some kernel modification which gives you alternate port permissions (e.g. grsecurity). This is not normally particularly desirable.

Another is to open the socket as root but then use it in a non-root process. This isn't as daft as it sounds, as you can do the following:

1. Have the server run as root initially, open the socket, then revert to a non-root user to do all other operations (Once the socket is open, changing uid will not cause it to close). This is what web servers (e.g. Apache) typically do.

2. Have another process which runs as root, opens the socket, changes its user ID back to a normal user then exec()s the server process, making sure that the socket file descriptor is on a well-known number (passing the FD number on the command line is one option) and is marked as being left open following an exec() (see fcntl() to set the FD_CLOEXEC flag to 0).

Normally most servers will be run on ports > 1023, except for system-level stuff like ssh and DNS, which normally runs (at least partially) as root anyway.

Mark

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this