All geek questions in one place

How can I claim that a port with a low number, like non-root, is the “right way”,

I have a script that I want to run as a daemon listening on a port with a low number (<1024)

Script is in python, although the answers in perl are also acceptable.

the script is demonized using start-stop-daemon in the start script, which can complicate the response

I really ( think ) do not want to type ps -few and see how this process is done using the "root" on it.

How should I do it?

(due to my perspective, which is not a fully educated-o-system call, I see 3 ways,

  • Run the script as root (no --user / - group / - chuid to start-stop-daemon) and ask him to de-escalate it after it states that the port
  • root Setuid on the script (chmod u + s) and run the script as the current user (via --user / - group / - chuid to start-stop-daemon, the script must still be called as root), in the script, get root privileges, require a port, and then return to normal user
  • something else that i don't know about

)

+3
source share
4 answers

“Something you don’t know about” is “features,” but as mentioned elsewhere , features do not work well with scripts using the shebang method, so there is not much to answer here. I would go with the "bind port, then reset privileges" method.

+2

, , http://antonym.org/2005/12/dropping-privileges-in-python.html

, umask , , , , , , ( , umask , )

, , , 2005 , ,

def drop_privileges(uid_name='nobody', gid_name='nogroup'):
    # Get the uid/gid from the name
    running_uid = pwd.getpwnam(uid_name)[2]
    running_gid = grp.getgrnam(gid_name)[2]

    # Try setting the new uid/gid
    try:
        os.setgid(running_gid)
    except OSError, e:
        logging.error('Could not set effective group id: %s' % e)
        exit()

    try:
        os.setuid(running_uid)
    except OSError, e:
        logging.error('Could not set effective user id: %s' % e)
        exit()

    # Ensure a very convervative umask
    new_umask = 077
    old_umask = os.umask(new_umask)
    logging.info('drop_privileges: Old umask: %s, new umask: %s' % \
             (oct(old_umask), oct(new_umask)))

    final_uid = os.getuid()
    final_gid = os.getgid()
    logging.info('drop_privileges: running as %s/%s' % \
             (pwd.getpwuid(final_uid)[0],
              grp.getgrgid(final_gid)[0]))
+2

1 - Apache httpd. -, .

+1

, , LD_PRELOAD -ed, root (script ): http://fakeroot.alioth.debian.org/

script ( , ) ; ELF (/usr/bin/python,/bin/sh,/usr/bin/perl ..), . , , , script.

, , , < 1024 >= 1024.

EDIT: I forgot to mention this little tool: redir . This is a local port forwarding service. He is even friendly.

0
source

Source: https://habr.com/ru/post/1739750/

More articles:


All Articles