1

In some situations a web application will talk to clients through a reverse proxy (e.g. Apache with mod_proxy) where the reverse proxy is listening on port 80 and the web application is listening on a port greater than 1023 (because root owns ports below 1024).

As mentioned in some answers to this question, any process could start listening on the high port if no other process has already started listening on it. This could be a problem if the web application has not started listening on the port yet, and some other process starts listening on it first, either on accident or maliciously.

Is there some way to make a user or group own a port, so that only the owner of the web application can start a process that listens on that port?

Improve this question

2 Answers 2

Reset to default
1

Or you simply assign a fixed port in the reserved port range and grant your application the rights to bind to that port. 

sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/application
Improve this answer
1
  • I'm hesitant to use cap_net_bind_service because I think then my web app owner could block other privileged ports. I'm hoping to keep the web app and root permissions as separate as possible. Commented Apr 25, 2016 at 16:16
0

If you have Selinux (not sure about AppArmor), you can most likely achieve this:

Make sure that only the context of that specific application can listen to that port and then make sure that only your desired user can start that application.

Improve this answer
1
  • This sounds interesting but I'm hoping for an answer that applies to other Linux distros as well. Commented Apr 24, 2016 at 16:57

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.